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Abstract 

We  present  an  authorization  logic  DTLo  that  explicitly  relativizes  reasoning  to  beliefs 
of  principals.  The  logic  assumes  that  principals  are  conceited  in  their  beliefs.  We 
describe  the  natural  deduction  system,  sequent  calculus,  Hilbert-style  axiomatization, 
and  Kripke  semantics  of  the  logic.  We  prove  several  meta-theoretic  results  including 
cut-elimination,  and  soundness  and  completeness  for  the  Kripke  semantics.  Translations 
from  several  other  authorization  logics  into  DTLo,  as  well  as  formal  connections  between 
DTLo  and  the  modal  logic  constructive  S4  are  also  presented.  Finally,  a  related  logic 
BLq  is  considered  and  its  properties  are  studied. 
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1  Introduction 


Authorization  refers  to  the  act  of  deciding  whether  or  not  an  agent  making  a  request 
to  perform  an  operation  on  a  resource  should  be  allowed  to  do  so.  For  example,  the 
agent  may  be  a  browser  trying  to  read  pages  from  a  website.  In  that  case,  the  site’s  web 
server  may  consult  the  browser’s  credentials  and  a  .htaccess  file  to  determine  whether 
to  send  the  pages  or  not.  Such  access  control  is  pervasive  in  computer  systems.  As 
systems  and  their  user  environments  evolve,  policies  used  for  access  control  may  become 
complex  and  error  prone.  This  suggests  the  need  for  formal  mechanisms  to  represent, 
enforce,  and  analyze  policies.  Logic  appears  to  be  a  useful  mechanism  for  these  purposes. 
Policies  may  be  expressed  as  formulas  in  a  suitably  chosen  logic.  This  has  several  merits. 
First,  the  logic’s  rigorous  inference  eliminates  any  ambiguity  that  may  be  inherent  in 
a  textual  description  of  policies.  Second,  policies  may  be  enforced  end-to-end  using 
generic  logic-based  mechanisms  like  proof-carrying  authorization  [8-10,  40].  Third,  by 
writing  policies  in  a  logic,  there  is  hope  that  the  policies  themselves  can  be  checked  for 
correctness  against  some  given  criteria  (see  e.g.,  [3,  33,  42,  44]). 

Whereas  first-order  logic  and  sometimes  propositional  logic  suffice  to  express  many 
authorization  policies,  decentralized  systems  pose  a  peculiar  challenge:  how  do  we  ex¬ 
press  and  combine  policies  of  different  agents  and  systems?  This  is  often  necessary 
since  policies  and  the  authorizations  derived  from  them  may  vary  from  system  to  sys¬ 
tem.  Policies  of  different  users,  programs,  and  systems  may  also  interact  to  allow  or 
deny  access.  To  model  such  decentralized  policies,  Abadi  and  others  proposed  logics 
with  formulas  of  the  form  K  says  A,  where  K  is  an  agent  or  a  system  (abstractly  called 
a  principal)  and  A  is  a  formula  representing  a  policy  [6,  39] .  The  intended  meaning  of 
the  formula  is  that  principal  I\  states,  or  believes  that  policy  A  holds.  From  a  logical 
perspective  K  says  •  is  a  modality  and  the  logic  is  an  indexed  modal  logic  with  one 
modality  for  each  principal.  We  call  such  a  modal  logic  an  authorization  logic.  In  the 
past  fifteen  years  there  have  been  numerous  proposals  describing  authorization  logics 
that  differ  widely  in  the  specific  axioms  (or  inference  rules)  used  for  K  says  •  [2,  3,  8— 
10,  21,  23,  25,  31-33,  40,  41].  One  emerging  trend  is  the  increased  use  of  intuitionistic 
logics  for  authorization  (e.g.,  [3,  25,  29,  31-33,  40,  50])  as  opposed  to  classical  logics. 

This  paper  presents  a  new  intuitionistic  authorization  logic  called  DTLo-  This  logic 
is  peculiar  in  a  certain  respect:  it  abandons  the  usual  objectivity  in  reasoning  from 
hypothesis,  relativizing  hypothetical  reasoning  to  principals.  The  hypothetical  judgment 
of  the  logic  has  the  form  F  A,  which  means,  up  to  a  first  approximation,  that  principal 
K  may  reason  from  hypothesis  F  that  A  is  true.  While  principal  I\  reasons,  I\  says  A 
implies  A  for  each  A,  thus  making  all  policies  local  to  K  available.  This  may  not  be 
true  when  another  principal  K'  reasons.  Reasoning  of  different  principals  may  interact 
through  the  says  connective.  Although  this  choice  of  binding  hypothetical  reasoning  to 
principals  may  be  unintuitive  from  a  philosophical  point  of  view,  it  seems  quite  apt  for 
reasoning  about  authorization  policies. 

Our  primary  interest  in  developing  DTLo  is  deployment  in  proof-carrying  authoriza¬ 
tion  [8-10,  40].  Hence  our  main  focus  is  DTLo’s  proof-theory,  especially  a  natural  deduc¬ 
tion  system  (with  proof-terms)  and  a  sequent  calculus,  which  we  describe  in  detail.  We 
prove  several  meta-theoretic  properties  of  both  formulations,  including  cut-elimination 
for  the  sequent  calculus.  We  also  present  a  Hilbert-style  proof  system  for  DTLo,  and 
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sound  and  complete  Kripke  semantics.  The  principal-centric  reasoning  of  DTLo  reflects 
in  the  Kripke  semantics:  worlds  are  explicitly  associated  with  principals  who  may  view 
them.  This  suggests  that  principals  in  DTLo  may  be  related  to  nominals  from  hybrid 
logic  [15,  20,  22].  We  also  show  that  DTLo  is  a  generalization  of  constructive  modal 
S4  [7,  46],  and  describe  a  sound  and  complete  translation  from  DTLo  to  multi-modal 
constructive  S4. 

Besides  investigating  the  theory  of  DTLo,  a  second  goal  of  this  paper  is  to  understand 
how  the  logic  relates  to  existing  authorization  logics,  and  to  the  numerous  logic-based 
languages  for  writing  authorization  policies  (e.g.,  [11,  24,  37,  47]).  In  this  regard  we 
present  simple,  syntax  directed  translations  from  several  families  of  authorization  logics 
and  an  authorization  language  to  DTLo,  thus  showing  that  DTLo  is  at  least  as  expressive 
as  each  of  them.  These  translations  are  part  of  a  more  ambitious  effort  to  establish  a 
common  framework  in  which  policies  written  in  different  logics  and  languages  may  be 
combined.  Some  initial  work  in  this  direction  using  modal  S4  as  foundation  may  be 
found  in  earlier  work  [31]. 

DTLo  is  a  fragment  of  a  larger  authorization  logic,  DTL,  which  we  are  currently 
developing.  The  latter  is  quite  broad,  incorporating  first-order  quantifiers,  explicit  time 
for  modeling  time-bounded  policies  [25] ,  and  linearity  for  modeling  consumable  creden¬ 
tials  [19,  21,  32],  Detailed  investigation  of  these  constructs  is  the  subject  of  ongoing 
work.  Besides  these,  there  are  some  other  aspects  of  authorization  logics  such  as  com¬ 
pound  principals  and  delegation  [6,  31,  39]  which  we  also  plan  to  investigate  in  the 
future.  On  a  more  practical  note,  we  are  implementing  a  file  system  with  proof-carrying 
authorization  based  on  DTL.  We  also  plan  to  develop  policy  analysis  tools  using  DTL. 

By  itself,  this  paper  makes  three  main  contributions.  First,  it  presents  the  logic 
DTLo,  investigating  in  detail  its  proof-theory  (Sections  2  and  3).  Second,  it  presents 
simple,  intuitive  translations  from  several  existing  policy  formalisms  to  DTLo,  thus  tak¬ 
ing  a  step  towards  a  common  foundation  for  combining  policies  represented  in  different 
formalisms  (Section  5).  A  third,  albeit  minor  contribution  of  the  paper  is  sound  and 
complete  Kripke  semantics  (Section  4),  which  are  relatively  rare  for  authorization  log¬ 
ics;  the  only  other  examples  we  know  of  are  semantics  for  lax-like  modalities  [31],  and 
those  for  an  earlier  logic  based  on  the  modal  logic  K  [6] .  We  omit  a  description  of  large 
examples  from  this  paper,  leaving  them  to  a  separate  paper. 

2  The  logic  DTLo 

DTLo  extends  propositional  intuitionistic  logic  with  a  principal-indexed  modality,  K  says 
A.  Principals,  denoted  I\,  are  abstractions  for  users,  programs,  machines,  and  systems, 
that  either  create  policies  or  request  access  to  resources.  We  stipulate  a  fixed  set  of 
principals  Prin,  pre-ordered  by  a  relation  written  y.  K\  y  I\ 2  is  read  “principal  K\ 
is  stronger  than  principal  AY’ ,  and  entails  that  K\  says  A  implies  K-2  says  A  for  every 
formula  A.  We  assume  that  Prin  has  at  least  one  maximum  element,  called  the  local 
authority  (denoted  l).1  The  syntax  of  formulas  in  DTLo  is  shown  below.  P  denotes 

lrTo  the  best  of  our  understanding,  the  term  local  authority  as  used  here  was  first  introduced  in  the 
preview  implementation  of  the  language  SecPAL  [1] . 
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atomic  formulas. 


A,B,C 


P\AaB\A\/B\T\±\AdB\K  says  A 


Axiomatic  Proof-System.  A  Hilbert-style  proof-system  for  DTLo  consists  of  any 
axiomatization  of  propositional  intuitionistic  logic  (see  Appendix  C  for  one  possibility), 
and  the  following  rules  and  axioms  for  K  says  A.  We  write  \~h  A  to  mean  that  A  is 
provable  without  assumptions  (i.e. ,  that  A  is  a  tautology). 


\-H  A 

b h  K  says  A 


(nec) 


b h  ( K  says  ( A  D  B ))  D  (( K  says  A)  D  ( K  says  B ))  (K) 

b h  ( K  says  A)  D  K  says  I<  says  A  (4) 

b h  K  says  ((K  says  A)  D  A)  (C) 

b h  says  A)  D  ( K2  says  A)  if  I\\  A  K2-  (S) 


(nec)  and  (K)  are  the  usual  necessitation  rule  and  closure  under  consequence  axiom  for 
normal  modal  logics  (see  e.g.,  [14]).  (4)  is  also  standard  from  modal  logics  such  as 

S4.  (C)  is  the  characterizing  axiom  of  DTLo-  It  has  been  used  to  characterize  conceited 
reasoners  in  doxastic  logic  (hence  the  name  C)  [48].  Intuitively,  the  axiom  means  that 
every  principal  says  that  all  its  statements  are  true.  Although  the  propriety  of  this  axiom 
in  the  context  of  doxastic  reasoning  has  been  questioned  (e.g.,  [48]),  it  seems  quite  useful 
for  authorization.  The  axiom  (S)  means  that  whenever  principal  K\  believes  a  formula 
A,  every  weaker  principal  K2  believes  it  as  well. 

The  following  properties  may  be  established  in  DTLo-  I /h  A  means  that  A  is  not 
valid  in  the  stated  generality  (although  specific  instances  of  A  may  be  valid).  A  =  B 
denotes  (A  D  B)  A  (B  D  A). 

b h  ((  says  A)  D  ( K  says  A) 

b h  ( K  says  K  says  A)  =  ( K  says  A) 

I /h  A  D  K  says  A 

I /h  ( K  says  A)  D  A 

b h  {K  says  {A  A  B ))  =  (( K  says  A)  A  ( K  says  B )) 

I -/h  ( K  says  {A  V  B))  D  (( K  says  A)  V  ( K  says  B )) 

Vh  -L 

I in  (K  says  A)  D  ( K '  says  K  says  A) 


Defined  Connectives.  The  last  property  above  means  that  if  K  says  A,  not  every 
principal  K '  may  believe  this.  In  some  cases,  this  may  not  be  desirable,  since  some 
policies  may  be  stated  and  published  by  K  and  in  these  cases  we  may  expect  that 
K'  says  K  says  A.  In  particular,  if  K  issues  a  credential  containing  a  policy,  we  may 
want  that  the  policy  be  believed  by  all  principals.  Further,  there  may  some  policies 
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that  are  believed  by  all  principals.  To  model  such  published  and  shared  policies,  we 
introduce  two  defined  connectives  in  the  logic.  The  first  connective,  global  A,  implies 
K  says  A  for  each  principal  K ,  and  may  be  understood  as  the  statement  that  A  is  a 
common  belief  of  all  principals.  The  second  connective,  K  publ  A  (read  K  publishes  A) 
implies  K'  says  K  says  A  for  each  K1 .  and  intuitively  means  that  K  publishes  the  fact 
that  it  believes  A.  We  define, 

global  ^4  =f  £  says  A 
K  publ  A  =f  global  ( K  says  A) 

It  is  easy  to  check  that  the  following  hold. 

b h  (global  A)  D  K  says  A 

\~H  (global  A)  D  K  publ  A 

\~H  (K  publ  A)  D  K  says  A 

b h  {K  publ  A)  D  K'  says  ( K  says  A) 

I ~/h  {K  says  A)  D  K  publ  A 

Example  2.1  (Policies  in  DTLo).  We  illustrate  the  use  of  DTLo  for  expressing  autho¬ 
rization  policies  through  a  simple  example.  Suppose  that  the  principal  OAL  (Online 
Academic  Library)  represents  an  online  repository  of  scientific  articles.  Academics  in¬ 
stitutions  (such  as  CMU)  may  buy  corporate  subscriptions  that  allow  all  their  members 
to  download  articles  from  OAL.  It  is  up  to  the  subscribing  institutions  to  tell  OAL 
who  their  members  are.  Alice  is  an  individual  who  wishes  to  download  an  article  from 
OAL.  Let  the  formula  downloadAlice  mean  that  Alice  may  download  articles  from  OAL, 
and  let  memberAliceCMU  mean  that  Alice  is  a  member  of  CMU.  Further,  let  us  assume 
that  CMU  has  a  subscription  at  OAL.  The  following  represent  possible  policies  of  the 
principals. 

1.  OAL  says  ((CMU  says  memberAliceCMU)  D  memberAliceCMU) 

2.  OAL  says  (memberAliceCMU  D  downloadAlice) 

3.  CMU  publ  memberAliceCMU 

The  first  policy,  stated  by  OAL,  means  that  if  CMU  says  that  Alice  is  its  member,  then 
this  is  the  case.  The  second  policy,  also  stated  by  OAL,  means  that  if  Alice  is  a  member 
of  CMU,  then  she  may  download  articles.  The  third  policy,  stated  and  published  by 
CMU,  means  that  Alice  is  a  member  of  CMU.  It  is  easy  to  check  that  these  three  policies 
entail  the  formula  OAL  says  downloadAlice  in  DTLo,  and  that  this  would  not  be  the 
case  if  we  changed  publ  to  says  in  the  last  policy. 
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3  Structural  Proof  Theory 


Next  we  develop  the  structural  proof  theory  of  DTLo,  namely  a  natural  deduction  system 
and  a  sequent  calculus.  Besides  explaining  the  meanings  of  connectives  precisely,  the 
natural  deduction  formulation  provides  a  syntax  for  proof  terms  that  are  a  basis  for 
proof-carrying  authorization  (our  intended  deployment  for  DTLo).  The  sequent  calculus 
is  necessary  to  prove  some  of  the  theorems  in  later  sections.  We  also  expect  that  the 
sequent  calculus  will  be  useful  in  proof-construction,  which  is  also  essential  for  proof¬ 
carrying  authorization. 

We  follow  Martin-Lof ’s  judgmental  method  in  developing  the  structural  proof  theory, 
and  maintain  a  strong  distinction  between  formulas  and  judgments  [43].  The  presen¬ 
tation  of  the  natural  deduction  system  is  more  directly  based  on  Pfenning  and  Davies’ 
work  on  constructive  S4  [46] ,  whereas  the  presentation  of  the  sequent  calculus  is  inspired 
by  previous  work  of  the  author  and  others  on  multi-modal  S4,  also  done  in  the  context 
of  access  control  [32],  In  Section  3.6  we  show  that  the  natural  deduction  system,  the 
sequent  calculus,  and  the  axiomatic  system  described  earlier  are  equivalent. 

3.1  Natural  Deduction 

In  Martin-Lof ’s  approach  to  type-theory  and  logic,  formulas  are  distinguished  from  judg¬ 
ments.  The  latter  are  the  objects  of  knowledge  that  may  be  established  through  proofs. 
Formulas  are  the  subjects  of  judgments.  For  DTLo,  we  use  two  basic  (categorical)  judg¬ 
ments:  A  true,  meaning  that  formula  A  is  true,  and  K  claims  A,  meaning  that  principal 
K  believes  or  claims  that  formula  A  is  true.  The  two  categorical  judgments  do  not  entail 
each  other  in  general.  We  often  abbreviate  A  true  to  A.  if  it  is  clear  from  context  that 
we  mean  the  judgment  A  true  and  not  the  formula  A. 

Of  course,  in  order  to  represent  policies,  it  is  necessary  to  combine  claims  of  prin¬ 
cipals  using  connectives.  Since  judgments  are  distinct  from  formulas,  and  connectives 
only  apply  to  the  latter,  we  cannot  use  the  judgment  K  claims  A  directly  for  in  such 
representations.  Accordingly,  we  internalize  the  judgment  K  claims  A  into  the  syntax 
of  formulas  as  K  says  A.  In  other  words  the  judgments  ( K  says  A)  true  and  K  claims  A 
are  equivalent.  Since  K  says  A  is  a  formula,  it  may  be  combined  with  other  connectives. 

Hypothetical  Judgments 

Reasoning  from  hypothesis  or  assumptions  is  a  basic  tenet  of  logic.  Logics  invariably 
allow  hypothetical  judgments  of  the  form  TLA,  meaning  that  the  assumptions  in  F 
entail  formula  A.  A  distinguishing  characteristic  of  DTLo  is  that  hypothetical  reasoning 
is  always  performed  relative  to  the  beliefs  of  a  principal  K,  which  we  indicate  in  the 
hypothetical  judgment;  we  write  T  \~K  A.2  Formally,  K  is  called  the  context  of  the 
hypothetical  judgment,  or  the  context  of  reasoning.  The  hypothesis  are  a  (possibly 
empty)  multiset  of  categorical  judgments: 

T  ::=  •  |  r,  C  true  |  T,K'  claims  C 

Reasoning  in  DTLo  is  guided  by  three  basic  principles.  The  first  principle,  called  the 
context  principle,  describes  how  the  context  K  affects  reasoning. 

2 A  represents  the  judgment  A  true,  not  the  formula  A ,  but  we  usually  elide  the  judgment  name  true. 
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Context  principle.  While  reasoning  in  context  K ,  the  assumption 
K'  claims  A  entails  A  true  if  K'  y  K. 

We  incorporate  this  principle  into  the  natural  deduction  system  by  the  following  rule  of 
inference. 

K'  y  K 

- - - —  claims 

T,  K  claims  A  hA  A 

Based  on  the  context  principle,  we  may  define  the  meaning  of  the  hypothetical  judgment 
r  \~K  A  precisely  as  follows: 

“ Assuming  that  beliefs  of  principals  stronger  than  K  are  true,  the  hy¬ 
pothesis  r  logically  entail  that  A  is  true”. 

Although  this  choice  of  relativizing  hypothetical  judgments  to  beliefs  of  principals  is 
non-standard,  it  seems  quite  useful  from  the  perspective  of  access  control,  where  an  au¬ 
thorization  may  succeed  or  fail,  depending  on  the  policies  applicable  in  the  surrounding 
context. 

Our  second  guiding  principle,  called  the  substitution  principle ,  elaborates  the  mean¬ 
ing  of  hypothesis.  It  states  that  a  hypothesis  A  true  used  in  a  proof  may  be  substituted 
by  an  actual  proof  of  the  hypothesis. 

Substitution  principle,  r  bA  A  and  T,  A  \~K  C  imply  T  \~K  C 

Unlike  the  context  principle  which  is  incorporated  directly  as  a  rule  in  the  natural 
deduction  system,  the  substitution  principle  is  established  as  a  theorem. 

Our  third  guiding  principle,  called  the  claim  principle ,  defines  the  relation  between 
the  judgments  K  claims  A  and  A  true.  Informally  it  states  that  K  claims  A  holds  if 
we  can  establish  A  true  in  context  K  from  the  claims  of  principals  stronger  than  K. 
Formally,  we  define  an  operator  T 1 that  restricts  the  hypothesis  T  to  the  claims  of 
principals  stronger  than  K. 

T|a-  =  {(K1  claims  C)  <E  T  \  K'  y  K} 

The  claim  principle  may  then  be  written  as  follows. 

Claim  principle.  r|A'  \~K  A  and  T,  K  claims  A  \~K’  C  imply  T  \~K ’  C. 

Like  the  substitution  principle,  the  claim  principle  is  admissible  as  a  theorem  in  the 
natural  deduction  system.  In  fact,  we  prove  the  two  principles  simultaneously  in  a 
single  theorem  (Theorem  3.2). 

Inference  Rules 

The  inference  rules  of  the  natural  deduction  system  are  summarized  in  Figure  1.  The 
most  basic  inference  rule  is  (hyp).  It  means  that  if  A  true  is  a  hypothesis,  then  A  must 
be  true. 


r.AhK  A 


:hyP 


The  rule  (claims)  captures  the  context  principle  as  described  earlier.  The  remaining  rules 
are  directed  by  the  connectives  of  DTLq.  For  each  connective,  there  are  introduction 
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T,A  \-K  A 


hyp 


K'  h  K 

r,  K'  claims  A  hK 


— claims 
A 


T|a-  hK  A 
r  \~K  K  says  A 


saysl 


r  \~K  K  says  A  T,  K  claims  A  \~K  C 
T  bA'  C 


saysE 


r  hK  A  r  h K  b 


K 


rh'MAB 


-Al 


r  hK  A  A  B 


-A  Ei 


r  \-K  A  A  B 


-A  E? 


r  h K  a 


rh K  Av  b 


-Vli 


rh K  b 
r  \-K  A  v  B 


V  I2 


r  hK  A  r  bA'  b 

rhA'ivB  r.Ah^c  r,BhKc 
r  hA’  c 


V  E 


r  bA' t 


-TI 


rhKi 
r  hK  c 


-±E 


r,  a  bA  b 
rh K  Ad  b~ 


01 


rhAiDB  r hA  a 
r  h K  b 


OE 


Figure  1:  Natural  Deduction  for  DTLq 


rules  (marked  I)  that  specify  how  a  proof  of  the  connective  may  be  constructed  directly, 
and  elimination  rules  (marked  E)  that  specify  how  a  proof  of  the  connective  may  be 
used.  In  the  following  we  describe  briefly  the  rules  for  says. 

How  can  we  establish  (K  says  A)  true?  Since  ( K  says  A)  true  is  equivalent  to 
K  claims  A,  the  claim  principle  tells  us  that  ( K  says  A)  true  may  be  established  if  we 
can  establish  A  true  in  context  I\  using  assumptions  of  principals  stronger  than  K.  This 
is  exactly  what  the  rule  (saysl)  captures: 


T\k  \~K  A 
r  hA  K  says  A 


saysl 


Dually,  how  can  we  use  the  fact  ( K  says  A)  true?  Again,  since  ( K  says  A)  true  and 
K  claims  A  are  equivalent,  from  the  fact  ( K  says  A)  true,  we  should  be  able  to  assume 
K  claims  A.  This  is  captured  by  the  elimination  rule  (saysE): 


T  bA  K  says  A  T,  K  claims  A  bA  C 


saysE 


Rules  for  the  connectives  A,  V,  T,  _L,  and  D  are  standard,  with  the  exception  that  there 
is  a  context  associated  with  each  hypothetical  judgment.  We  elide  a  description  of  these 
standard  rules. 


3.2  Meta-Theory  of  the  Natural  Deduction  System 

Having  seen  all  the  rules  of  the  natural  deduction  system,  we  now  seek  to  prove  that 
the  substitution  and  context  principles  are  admissible  in  DTLo-  Before  doing  that,  we 
establish  another  fundamental  property  called  subsumption  that  is  needed  to  complete 
the  proof.  Subsumption  states  that  weaker  contexts  make  more  formulas  provable. 
Intuitively,  this  follows  from  the  definition  of  hypothetical  judgments. 
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Theorem  3.1  (Subsumption).  K  y  K'  and  T  \~K  A  imply  T  \~K'  A. 

Proof.  By  induction  on  the  derivation  of  T  \~K  A.  □ 

The  following  theorem  formally  states  that  both  the  substitution  and  claim  principles 
hold. 

Theorem  3.2  (Substitution  and  Claim).  The  following  hold. 

1.  T  \-K  A  and  T,  A  true  \~K  C  imply  T  \~K  C. 

2.  r|x  \~R  A  and  T,  K  claims  A  \~K'  C  imply  F  \-K>  C . 

Proof.  By  simultaneous  induction  on  the  second  given  derivations.  In  the  case  of  (2), 
rule  (claims)  we  use  Theorem  3.1.  0 

3.3  Proof  Terms 

The  natural  deduction  system  described  above  may  be  augmented  with  proof  terms  in 
the  usual  way.  We  use  standard  notation  from  the  A  calculus  for  denoting  most  parts  of 
proof  terms;  new  notation  is  introduced  only  for  the  introduction  and  elimination  forms 
of  says.  The  syntax  of  proof  terms  is  summarized  below,  x,  y  denote  variables. 

t  ::=  x  |  A x.t  \  t\  t2  \  |  proji  t  |  proj2  f  |  ()  |  abort  t 

ini  t  |  inr  t  |  case(t,  x.t\,  y.tf)  \  {t}x  \  ti=>x.t2 

The  constructors  {t}x  and  ti^x.t^  are  the  introduction  and  elimination  forms  for  K  says 
A.  The  variables  x,y  in  A  x.t,  case(f,  x.t\,  y.t^),  and  t\=>x.t2  are  bound.  We  identify 
terms  up  to  a-renaming  of  such  bound  variables. 

Figure  2  shows  the  modified  inference  rules  with  proof  terms.  As  usual,  we  name 
all  assumptions  in  T  by  associating  unique  variables  with  them.  We  do  not  need  to 
syntactically  distinguish  between  variables  associated  with  assumptions  A  true  and  those 
associated  with  assumptions  K  claims  A.  Hypothetical  judgments  are  augmented  with 
proof  terms;  they  take  the  form  F  t  :  A.  The  definition  of  T\k  is  lifted  to  include 
variables:  T|x  =  {(x  :  K'  claims  C)  E  T  |  K'  y  K}. 

Once  again,  we  can  prove  a  subsumption  principle: 

Theorem  3.3  (Subsumption).  K  y  K'  and  T  \~K  t  :  A  imply  F  \-K' t  :  A. 

Proof.  By  induction  on  the  derivation  of  F  \~K  t  :  A.  □ 

Let  [ti/x]t2  denote  the  capture  avoiding  substitution  of  t\  for  all  occurrences  of  x 
in  t2-  (We  elide  the  obvious  definition.)  The  substitution  and  claim  principles  (Theo¬ 
rem  3.2)  may  be  modified,  obtaining  the  following  new  principles. 

Theorem  3.4  (Substitution  and  Claim).  The  following  hold. 

1.  T  \-K  t\  :  A  and  T,x  :  A  true  \~K  t2  ■  C  imply  T  \~K  [t\/x]t2  ■  C. 

2.  T|a'  \~k  t\  :  A  and  T,  x  :  K  claims  A  \~K'  t,2  ■  C  imply  T  \~K'  [t\/x]t2  :  C . 

Proof.  By  simultaneous  induction  on  the  second  given  derivations.  □ 
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r,  x  :  A  \-K  x  :  A 


hyp 


K'  A  K 


T,x  :  K'  claims  A  \~K  x  :  A 


claims 


IV  bA  t  :  A 


-saysl 


T  \-K  {t} k  '■  K  says  A 

r  \-K  h  :  A  r  h K  t2:  B 
r hK  (tut2)  :AAB 


r  \-K  t\  :  K  says  A  T,x  :  K  claims  A  \-K  t2  '■  C 

Ac7 


r  b  ti=^x.t2  '■  c 


saysE 


AI 


ThAt:4A5 
r  bAproji  t  :  A 


A  Ei 


TbA  t:  AAB 

r  bAproj2  t  :  B 


-A  E2 


r  bA  t  :  A 


r  b K  t:B 


-V  Ii 


r  bA'inl  t  :  A  V  B  r  hK inr  t :  A  V  B 

T\-Kt:AWB  T,x:  AVK  tx\C  T,y:BhK  t2:C 


V  I2 


r  bK  ()  :  T 
r,x  :  AhK  t  :  B 


r  \-K 


TI 


case(t,  x.t\,y.t2)  '■  C 

r  b K  t:  A 


V  E 


-  J_E 


r  \-K  A  x.t  :  Ad  B' 


Dl 


r  bA  abort  t  :  C 
V^K  h  :AdB  r  hK  t2  :  A 


r  hK  tx  t2  :  B 


DE 


Figure  2:  Proof  terms  for  DTLo 

Local  Reduction  and  Local  Expansion 

Pfenning  and  Davies  proposed  two  general  principles  to  verify  that  the  inference  rules 
in  a  natural  deduction  system  fit  well  with  each  other  [46] .  They  called  these  principles 
local  soundness  and  local  completeness.  In  the  following  we  present  these  principles  for 
DTLo  with  proof  terms.  Analogous  principles  may  also  be  obtained  at  the  level  of  proofs 
instead  of  proof  terms. 

Briefly,  local  soundness  states  that  if  the  introduction  of  a  connective  is  immediately 
followed  by  its  elimination  in  a  proof,  then  it  should  be  possible  to  locally  reduce  the 
proof  by  eliminating  this  detour.  Local  soundness  for  a  connective  guarantees  that  the 
elimination  rule(s)  for  the  connective  are  not  too  strong,  i.e. ,  they  do  not  conclude 
any  formula  that  would  not  already  follow  from  the  inputs  to  the  introduction  rule(s) 
of  the  connective.  The  dual  principle,  local  completeness,  states  that  given  any  proof 
of  a  formula,  it  should  be  possible  to  locally  expand  the  proof  by  eliminating  its  top 
level  connective  and  re-introducing  it,  obtaining  a  bigger  proof  of  the  original  formula. 
Local  completeness  for  a  connective  guarantees  that  its  elimination  rule(s)  are  strong 
enough  to  conclude  everything  that  is  needed  to  re-constitute  a  proof  of  the  connective 
from  its  introduction  rule(s).  Together  the  two  principles  provide  assurance  that  the 
introduction  and  elimination  rules  are  in  harmony  with  each  other. 

Under  the  Curry-Howard  isomorphism,  local  reduction  and  local  expansion  corre¬ 
spond  to  the  familiar  concepts  of  /3-reduction  and  ?/-expansion,  respectively.  We  present 
type-directed  variants  of  /3-reduction  and  ^-expansion  for  DTLo  in  Figure  3.  In  addition 
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/3-reduction 

T  \-K  ti  :  A  r  \-K  t2  :  B 
T  hAproj!  (ti  ,t2)  h  :  A 

T  h K  t:  A 


T,x  :  A\-K  ti  :  B  T  \-K  t2  ■  A 
T  bA  (Axii)  t-2  ~^/3  [*2/®]*!  '•  B 


Ty-eXpanSiOn 

r  hK  t  :  A  A  B 

r  hA  f  (pr°ji  t,  proj2  t)  :  A  A  B 
T\-K  t:T 

r  h*  i  ->„  <)  :  T 

rhA'/:iDB 
T  i  A  x.(t  x)  :  Ad  B 


r\-K  t!  :  A  r  hA  *2  :  B 
r  hAproj2  (il5 12)  ~>/3  t2-.B 


r|x  ti  :  A  r,  x  :  A  claims  A  h/A  t2  :  C 
T  b^  ({ti}if=>x.t2)  ^/3  [ti/x]t2  :  C1 


T  hA  t :  d  V  B 
r  bA  t  ~^>v  cas e(t,  x.  ini  x,  y.  inr  y)  :  A  V  B 

T  h K  t\L 
r  \~K  t  abort  t 

r  b^  t :  I\  says  A 
T  bA  t  ~*v  (t=>x.{x}/c)  :  K  says  A 


r, x  :  A  bA  <i  :  C  T,y:B\-Kt2:C 


r  bA  case(inl  t,x.t\,y.t2)  ~'>Jg  [t/x]ti  :  C 
rhAi:B  T,x  :  AhK  h:  C  T,y  :  B  hK  t2  :  C 


r  b 


3(inr  t,  x.ti,  y.t2)  [ t/y]t2  ■  C 


(x  £  r) 


Figure  3:  Basic  rules  for  /3- reduction  and  //-expansion 


to  these  rules,  there  are  a  number  of  congruence  rules,  which  we  list  in  Appendix  A. 
Our  /3-reduction  and  //-expansion  rules  are  somewhat  unusual  since  they  include  type 

information,  and  apply  only  to  well- typed  terms.  For  example,  /3-reduction  has  the  form 
F  h/c 

t  t!  :  A,  meaning  that  the  proof  term  t  (proving  A  true  under  hypothesis  T 
in  context  K )  /3-reduces  to  t' .  We  prove  separately  (see  Theorem  3.5  below)  that  if 
T  \~K  t  t'  :  A,  then  F  \-K  t  :  A  and  F  \-K  t'  :  A.  This  theorem  subsumes  the 

usual  type-preservation  or  subject  reduction  theorem.  The  treatment  of  //-expansion 
is  similar.  It  is  easy  to  see  that  on  well-typed  terms  without  the  constructors  {t}x 
and  ti=$>x.t2  our  definitions  of  /3-reduction  and  //-expansion  coincide  with  conventional 
(untyped)  definitions. 

Theorem  3.5  (Typing).  For  */T  \~K  t  t'  :  A  then, 

1.  r  hK  t  :  A 

2.  T  hK  t!  :  A 

Proof.  In  each  case  by  induction  on  the  given  derivation  of  F  bA  t  t'  :  A.  □ 
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Figure  4:  Sequent  calculus  for  DTLo 

3.4  Sequent  Calculus 

Next,  we  describe  a  sequent  calculus  for  DTLo-  As  in  the  natural  deduction  system,  we 
maintain  a  distinction  between  formulas  and  judgments.  The  categorical  and  hypotheti¬ 
cal  judgments  used  in  the  sequent  calculus  are  the  same  as  those  in  the  natural  deduction 
system.  To  avoid  confusion  with  the  natural  deduction  system,  we  write  hypothetical 
judgments  in  the  sequent  calculus  as  T  A,  and  call  them  sequents.3  The  inference 
rules  of  the  sequent  calculus  are  shown  in  Figure  4.  With  the  exception  of  (init)  and 
(claims),  all  rules  are  directed  by  the  connectives  of  DTLo-  For  each  connective  we  have 
right  rules  which  describe  how  the  connective  may  be  inferred  as  the  conclusion  of  the 
sequent,  and  left  rules  which  specify  how  the  connective  may  be  used  as  a  hypothesis. 

Rule  (init)  states  that  if  we  assume  that  an  atomic  formula  P  is  true,  then  in  any 
context  K  we  may  conclude  that  P  is  true.  For  non-atomic  formulas,  we  prove  a 
corresponding  result  as  a  theorem  (see  Theorem  3.8).  The  rules  (claims),  (saysR),  and 
(saysL)  characterize  DTLo-  Read  from  the  conclusion  to  the  premises,  rule  (claims) 
states  that  whenever  we  assume  K  claims  A,  we  are  also  justified  in  assuming  that  A  is 
true,  if  we  are  reasoning  in  a  context  K'  such  that  K  y  K' ■  This  captures  the  context 
principle  described  earlier. 

Rule  (saysR)  is  analogous  to  the  rule  (saysl)  from  the  natural  deduction  system  and 
means  that  K  says  A  may  be  established  in  any  context  if  we  can  prove  in  context  K 

technically,  in  the  sequent  calculus  there  is  a  distinction  between  hypothesis  A  true  and  conclusions 
A  true;  they  are  distinct  categorical  judgments.  However,  this  distinction  is  always  evident  from  the 
positions  of  the  judgments  in  sequents,  and  we  avoid  separating  the  two  in  syntax. 
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that  A  is  true  using  only  the  claims  of  principals  stronger  than  K.  Rule  (saysL)  captures 
the  idea  that  K  says  A  internalizes  K  claims  A:  if  we  assume  that  K  says  A  is  true,  then 
we  may  also  assume  K  claims  A.  The  rules  for  the  connectives  A,  V,  T,  _L,  and  D  are 
standard,  except  for  a  context  which  is  associated  with  each  sequent. 

3.5  Meta-Theory  of  the  Sequent  Calculus 

The  sequent  calculus  described  above  enjoys  several  meta-theoretic  properties.  For 
example,  it  is  evident  from  the  rules  in  Figure  4  that  the  sequent  calculus  enjoys  the 
subformula  property,  i.e. ,  any  formula  occurring  in  the  proof  of  a  sequent  must  occur 
inside  the  formulas  of  the  sequent.  Several  structural  properties  such  as  weakening  also 
hold  in  the  sequent  calculus.  As  for  the  natural  deduction  system,  we  may  also  establish 
a  subsumption  principle  for  the  sequent  calculus. 

K  K' 

Theorem  3.6  (Subsumption).  F  — >  A  and  K  A  K'  imply  T  — ■>  A. 

K 

Proof.  By  induction  on  the  given  derivation  of  T  — >  A.  See  Appendix  B  for  details.  □ 

A  very  important  property  of  the  sequent  calculus  is  cut-elimination  [35] .  This  prop¬ 
erty  is  analogous  to  the  substitution  principle  and  the  claim  principle;  formally  it  states 
that  adding  a  cut  rule  to  a  sequent  calculus  does  not  make  more  judgments  provable. 
More  generally,  it  implies  that  all  (natural  deduction)  proofs  can  be  normalized.  Besides 
providing  assurance  of  the  logic’s  strong  foundation,  proof  normalization  is  sometimes 
useful  for  auditing  proofs.  Instead  of  stating  explicitly  the  rules  of  cut  for  our  sequent 
calculus  and  showing  that  they  may  be  eliminated,  we  prove  the  following  theorem  which 
states  that  cut  principles  analogous  to  the  substitution  principle  and  the  claim  principle 
are  admissible  in  the  sequent  calculus. 

Theorem  3.7  (Admissibility  of  Cut).  The  following  cut  principles  hold  for  the  sequent 
calculus  of  Figure  f. 

1.  r  A  and  T,  A  C  imply  that  T  —y  C . 

2.  r|x  —y  A  and  T,K  claims  A  —y  C  imply  that  F  (j 

Proof.  Both  statements  can  be  proved  simultaneously  by  lexicographic  induction,  first 
on  the  size  of  the  cut  judgments  (A  true  or  K  claims  A),  and  then  on  the  size  of  the  two 
given  derivations,  as  in  earlier  work  [45].  See  Appendix  B  for  details.  □ 

The  logical  dual  of  the  cut-elimination  theorem  is  the  following  identity  theorem, 
which  states  that  whenever  A  true  is  assumed  as  a  hypothesis,  we  may  conclude  it.  This 
generalizes  the  (init)  rule  from  atomic  to  arbitrary  formulas. 

Theorem  3.8  (Identity).  For  each  formula  A,  T,  A  —y  A. 

Proof.  By  induction  on  A.  See  Appendix  B  for  details.  □ 
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3.6  Equivalence 

An  obvious  question  is  whether  the  axiomatic  system,  natural  deduction  system,  and 
sequent  calculus  presented  for  DTLo  validate  the  same  judgments.  The  following  theo¬ 
rem  shows  that  the  natural  deduction  system  and  sequent  calculus  validate  exactly  the 
same  judgments,  and  that  they  can  be  embedded  trivially  into  the  axiomatic  system. 

Theorem  3.9  (Equivalence).  The  following  are  equivalent  for  any  I\  and  A. 

1.  ■  hK  A  in  the  natural  deduction  system. 

2.  ■  —>  A  in  the  sequent  calculus. 

3.  \~h  K  says  A  in  the  axiomatic  system. 

Proof.  See  Appendix  C.  □ 

Observe  that  there  is  no  equivalent  of  h h  B  in  the  sequent  calculus  (or  natural 
deduction  system)  unless  B  has  the  form  K  says  A.  In  this  sense,  the  above  theorem 
actually  embeds  the  sequent  calculus  into  the  axiomatic  system.  While  it  is  possible 
to  recover  the  entire  axiomatic  system  in  the  sequent  calculus  by  adding  non-indexed 
hypothetical  judgments  T  — ■>  A,  this  extension  seems  uninteresting  for  authorization 
policies,  and  we  omit  it. 

4  Kripke  Semantics  for  DTLo 

Next  we  describe  sound  and  complete  Kripke  semantics  for  DTLo-  Although  not  directly 
applicable  to  policies,  Kripke  semantics  are  an  invaluable  tool  for  proving  properties  of 
the  logic  (e.g.,  [4,  31]).  There  is  also  hope  that  Kripke  countermodels  can  be  used  as 
proofs  of  failure,  in  case  an  authorization  does  not  succeed.  Our  presentation  of  Kripke 
semantics  is  inspired  by  work  on  the  modal  logic  constructive  S4  [7],  and  also  uses  some 
ideas  from  work  on  Kripke  semantics  of  lax  logic  [27,  31]. 

The  distinguishing  characteristic  of  our  Kripke  semantics  are  views  [31].  With  each 
world  w,  we  associate  a  set  of  principals  9{w)  to  whom  the  world  is  said  to  be  visible. 

Our  correctness  property  is  that  •  A  if  and  only  if  each  world  visible  to  K  satisfies 
A.4  In  this  manner,  views  allow  us  to  distinguish  reasoning  in  one  context  from  that  in 
another.  If  K  A  K'  then  we  require  that  any  world  visible  to  K'  also  be  visible  to  K. 
This  ensures  that  context  K  validates  fewer  formulas  than  context  K' ,  and  captures  the 
subsumption  principle  (Theorem  3.6). 

We  model  falsehood  by  explicitly  specifying  in  each  frame  a  set  F  of  worlds  where  _L 
holds.  These  worlds  are  called  fallible  worlds  [26,  27,  49].  We  say  that  w  \=  _L  iff  w  €  F. 
To  model  intuitionistic  implication,  we  use  a  pre-order  <  between  worlds  (as  usual)  and 
say  that  w  |=  A  D  B  iff  for  all  w' ,  w  <w'  and  w'  (=  A  imply  w'  (=  B.  Finally,  to  model 
the  modality  says,  we  use  a  principal-indexed  binary  relation  between  worlds  and 
define: 

throughout  this  section  and  the  next,  we  use  the  sequent  calculus  of  DTLo  to  state  correctness 
properties.  Use  of  the  sequent  calculus  as  opposed  to  the  natural  deduction  system  or  the  axiomatic 
system  is  partly  a  matter  of  personal  taste  and  partly  a  matter  of  technical  convenience. 
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w  |=  K  says  A  iff  either  w  E  F  or  for  all  w' ,  w",  w  <  w'  re,/  implies  w"  |=  A. 

The  clause  w  E  F  in  the  above  definition  is  required  to  validate  1  D  K  says  A.  The 
remaining  definition  is  a  generalization  of  satisfaction  for  OA  from  Kripke  semantics  of 
constructive  S4  [7].  To  validate  axiom  (4),  we  stipulate  that  <  be  a  subset  of 

Both  the  use  of  a  pre-order  to  model  intuitionistic  implication,  and  the  use  of  different 
binary  relations  to  model  each  modality  are  standard  in  modal  logic.  The  novelty  here 
is  the  interaction  of  these  relations  with  views.  We  require  that  <  preserve  views,  i.e., 
if  w  <  w'  and  w  be  visible  to  K ,  then  w'  also  be  visible  to  K .  We  also  require  that 
whenever  w  w',  w'  be  visible  to  I\.  For  example,  in  the  definition  of  w  \=  I\  says  A 
above,  w"  would  be  visible  to  K.  By  forcing  these  restrictions,  we  ensure  that  the 
semantics  of  all  connectives  except  K  says  •  can  be  defined  without  changing  views.  On 
the  other  hand,  the  semantics  of  K  says  •  shift  the  reasoning  to  worlds  that  are  visible 
to  K.  This  subtle  interaction  between  views  and  binary  relations  captures  the  exact 
meaning  of  formulas  in  DTLo- 

Definition  4.1  (Kripke  Models).  A  Kripke  model  M  for  DTLo  is  a  tuple 
{W,6,<,(FK)K^in,p,F),  where 

-  W  is  a  non-empty  set  of  worlds  (worlds  are  denoted  w). 

-  9  :  W  i— >  2Prin  is  a  view  function  that  maps  each  world  w  to  a  set  of  principals.  If 
K  E  9(w),  we  say  that  w  is  visible  to  K ,  else  w  is  said  to  be  invisible  to  K.  We 
often  write  WK  for  the  set  {tc  E  W  \  K  E  9(w)}.  We  require  that: 

(View-closure)  K  E  9(w)  and  K'  F  K  imply  K'  E  9{w). 

-  <  is  a  pre-order  on  W  called  the  implication  relation.  We  require  that: 

(Imp-mon)  w  <  w’  imply  6{w)  C  9(w'). 

-  For  each  K,  \—k  is  a  subset  of  W  x  WK  called  the  modality  relation.  We  require 
that: 


(Mod-refl)  If  w  E  WK ,  then  w  FK  w. 

(Mod-trans)  Cr-  be  transitive. 

(Mod-closure)  w  FK  w'  and  K'  V  K  imply  w  FK,  w' 

(Commutativity)  If  w  FK  iv'  <  w" ,  then  w  FK  w" . 

-  p  :W  i— >  2AtomicFormulas  is  a  valuation  function  that  maps  each  world  to  the  set  of 
atomic  formulas  that  hold  in  it.  We  require  that: 

(Rho-her)  P  E  p(w)  and  w  <w'  imply  P  E  p(w'). 

-  F  C  W  is  the  set  of  fallible  worlds.  We  require  that: 

(F-her)  w  E  F  and  w  <  w'  imply  w'  E  F. 

(F-univ)  w  E  F  imply  P  E  p(w) 
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Definition  4.2  (Satisfaction).  Given  a  model  M  =  (W,  9,  <,  (C#)AePrin,  p,  F),  and  a 
world  w  E  IF,  the  satisfaction  relation  w  |=  A  (world  w  satisfies  formula  A)  is  defined 
by  induction  on  A  as  follows. 

w  |=  P  iff  P  E  p(w). 
w  |=  A  A  B  iff  w  |=  A  and  w  |=  B. 
w  |=  A  V  B  iff  w  |=  A  or  w  |=  B. 
w  |=  T. 

re  |=  _L  iff  tc  E  F. 

w  \=  A  D  B  iff  for  all  it/,  w  <w'  and  w'  |=  A  imply  w'  |=  B. 
w  [=  K  says  A  iff  either  w  E  F  or  for  all  «/,  xo//,  w  <  w'  w"  implies  tc"  [=  A. 

We  say  that  a  principal  K  validates  A  in  model  M  (written  M  \=K  A)  if  for  each 
world  w  E  WK  in  M,  it  is  the  case  that  w  |=  A.  The  Kripke  semantics  defined  above 
are  sound  and  complete  in  the  following  sense. 

Theorem  4.3  (Soundness  and  Completeness).  •  A  in  the  sequent  calculus  if  and 
only  if  for  each  Kripke  model  M,  M  \=K  A. 

Soundness  ( “only  if”  direction)  follows  by  an  induction  on  the  given  sequent  calculus 
proof.  We  must  generalize  the  statement  a  little  to  allow  non-empty  hypotheses.  See 
Appendix  D.l  for  details.  The  proof  of  completeness  (“if”  direction)  uses  a  canonical 
model  construction,  which  we  describe  next. 

4.1  Canonical  Kripke  Model  and  Completeness 

We  describe  a  canonical  Kripke  model  for  DTLo  that  satisfies  the  following  property: 
for  each  K  and  A,  if  •  A,  then  there  is  a  world  w  E  WK  such  that  w  A.  From 
this  property,  it  follows  immediately  that  satisfaction  in  Kripke  models  is  complete 
with  respect  to  the  sequent  calculus  in  the  sense  of  Theorem  4.3.  Our  construction 
of  the  canonical  model  generalizes  Alechina  et  al’s  construction  of  canonical  models 
for  constructive  S4  [7].  Before  defining  the  canonical  Kripke  model,  we  make  some 
preliminary  definitions. 

Definition  4.4  (Theory).  A  theory  is  a  tuple  (r,  S'),  where  T  is  a  set  of  formulas,  and 
S  is  a  set  of  principals. 

Definition  4.5  (Filter).  A  set  S  of  principals  is  called  a  filter  if  there  exists  a  principal 
K  such  that  S  =  {K'  \  K'  A  A"}.  Note  that  by  definition,  a  filter  always  has  a  minimum 
element  ( K ),  and  a  maximum  element  (£).  In  particular,  a  filter  can  never  be  the  empty 
set. 

Definition  4.6  (Prime  Theory).  We  call  a  theory  (T,S)  prime  if  the  following  hold: 

1.  (Prin-closure)  S  is  a  filter. 

2.  (Fact-closure)  T  is  closed  under  for  each  I\  E  S,  i.e.,  for  each  K  E  S,  T  A 
implies  A  E  r.r’ 

sIf  F  is  an  infinite  set,  then  T  A  means  that  there  is  a  finite  subset  T'  of  T  such  that  T'  A. 
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3.  (Primality)  If  A  V  B  E  T,  then  either  A  E  F  or 

We  take  as  worlds  of  our  canonical  model  all  prime  theories  (T,  S).  The  key  property 
that  we  ensure  in  our  construction  is  that  (T,  S)  |=  A  iff  A  E  T.  Then,  our  proof  of 

completeness  is  as  follows.  Suppose  •  A.  We  define  Sj<  =  {K'  \  K'  F  K}  and 
construct  a  prime  theory  (T*,  Sk)  such  that  A  0  T*.  By  the  key  property,  (T*,  Sk)  V1  A. 
This  completes  the  proof.  There  are  three  essential  steps  in  this  proof: 

(a)  Defining  the  canonical  model  whose  worlds  are  prime  theories 

(b)  Showing  that  (T,  S)  \=  A  iff  A  E  T 

(c)  Showing  that  we  can  construct  the  prime  theory  (T*,  Sk)  such  that  A  0  T* 

We  start  by  defining  the  canonical  model. 

Definition  4.7  (Canonical  Kripke  Model).  The  canonical  Kripke  model  for  DTLo  is 
the  tuple  (IT,  9,  <,  (C^)^11,  p,  F ),  where 

W  is  the  set  of  all  prime  theories  (T,  S ) 

0(T,S)  =  S 

(T,  S )  <  (V,  S')  iff  T  C  r7  and  SC  S' 

(T,  S )  CK  (T7,  S')  iff  K  E  S'  and  for  each  A.  K  says  ieT  implies  A  E  T' 
PCp{T,S)  iff  PET 
(T,  S)  E  F  iff  T  E  T 

The  following  lemma  shows  that  the  above  definition  actually  describes  a  Kripke 
model  for  DTLo-  (Detailed  proofs  of  all  lemmas  in  this  section  are  in  Appendix  D.2.) 

Lemma  4.8  (Canonical  Model).  The  model  constructed  in  Definition  is  a  Kripke 
model  for  DTLq,  i.e.,  it  satisfies  all  conditions  of  Definition  f.l. 

Proof.  We  may  directly  verify  each  condition  from  Definition  4.1.  □ 

Next  we  introduce  a  notion  of  consistency  for  theories  with  respect  to  formulas.  This 
notion  is  needed  to  establish  steps  (b)  and  (c)  in  our  proof  of  completeness.  For  a  filter 
S  we  say  that  the  theory  (T,  S)  is  A  consistent,  if  T  A  for  any  K  E  S.  The  following 
critical  lemma  states  that  any  A  consistent  theory  can  be  extended  to  an  A  consistent 
prime  theory. 

Lemma  4.9  (Consistent  Extensions).  Let  (T,S)  be  an  A  consistent  theory.  Then  there 
is  an  A  consistent  prime  theory  (T*,  S)  such  that  T  C  T*. 

Proof.  By  a  straightforward  application  of  Zorn’s  Lemma.  □ 

At  this  point,  we  can  prove  the  central  property  of  our  canonical  model,  namely  that 
(T,  S)  f=  A  iff  A  E  T. 
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Lemma  4.10  (Satisfaction).  For  each  formula  A,  and  each  prime  theory  (T,S),  it  is 
the  case  that  (r,  S)  \=  A  in  the  canonical  model  iff  A  e  T. 

Proof.  By  induction  on  A.  The  cases  A  =  B  D  C  and  A  =  K  says  B  require  Lemma  4.9. 

□ 


Finally,  we  prove  completeness  by  combining  Lemmas  4.9  and  4.10. 

Theorem  4.11  (Completeness).  Suppose  ■  ^  A.  Then  there  is  a  world  w  in  the 
canonical  model  such  that  K  e  6(w)  and  w  \f=  A. 

Proof.  Let  Sk  =  {K'  \  K'  A  K}.  Since  •  A.  the  theory  (• ,Sk )  is  A  consistent. 

By  Lemma  4.9,  there  is  an  A  consistent  prime  theory  ( T*,Sk )•  Take  w  =  (T*,Sk)- 
Clearly,  K  £  9{w)  and  A  0  T*.  Using  the  latter  fact  and  Lemma  4.10,  (r*,  Sk)  \f=  A,  as 
required.  □ 

Theorem  4.3  follows  as  an  easy  corollary  to  this  theorem. 


5  Connections  to  Other  Logics 

Having  described  both  the  proof-theory  and  the  semantics  of  DTLo,  we  study  connec¬ 
tions  between  DTLo  and  other  logics,  including  some  authorization  logics.  Our  technical 
approach  is  based  on  sound  and  complete  translations  between  the  logics.  The  purpose 
of  studying  these  connections  is  two-fold.  First,  we  wish  to  understand  DTLo  better 
through  these  translations.  Second,  through  translations  from  existing  authorization 
logics  to  DTLo,  we  seek  to  argue  that  DTLo  is  at  least  as  expressive  as  each  of  them. 
In  future,  we  would  also  like  to  use  these  (or  similar)  translations  to  try  to  develop  a 
single  framework  for  combining  policies  written  in  different  logics. 

We  start  by  observing  in  Section  5.1  that  DTLo  generalizes  the  modal  logic  con¬ 
structive  S4  or  CS4  (without  C>)  [7,  13,  46]  in  the  following  sense:  the  trivial  embedding 
from  CS4  to  DTLo  that  maps  OA  to  t  says  A.  and  every  other  connective  to  itself  is 
sound  and  complete.  At  the  same  time,  DTLo  is  quite  distinct  from  another,  rather 
obvious  generalization  of  constructive  S4:  the  constructive  multi-modal  S4  that  keeps 
modalities  independent  of  each  other  (called  CS4m  here).  For  example,  the  latter  logic 
validates  (K  says  K'  says  A)  D  K'  says  A,  which  DTLo  does  not.  The  question  then 
is  whether  there  is  a  connection  between  DTLo  and  CS4m.  We  show  that  there  is  an 
easy  sound  and  complete  embedding  of  DTLo  into  CS4m.  We  do  not  know  whether  an 
embedding  exists  in  the  other  direction. 

Next,  we  examine  connections  to  existing  authorization  logics.  Recently,  a  number  of 
authorization  logics  have  been  proposed  [3,  25,  31-33]  that  treat  I\  says  •  as  a  modality 
from  lax  logic  [12,  27,  28].  Although  these  logics  differ  in  constructs  other  than  says, 
each  of  them  treats  the  modality  K  says  •  in  the  same  way.  In  Section  5.2,  we  describe 
a  propositional  core  that  is  common  to  all  these  authorization  logics,  and  show  that  it 
can  be  translated  to  DTLo-  By  considering  the  degenerate  case  where  the  source  of  the 
translation  has  only  one  modality,  we  obtain  a  translation  from  lax  logic  to  DTLo-  (A 
different  but  related  translation  from  lax  logic  to  S4  appeared  in  prior  work  [31]). 

The  earliest  authorization  logics  [6,  39]  treated  K  says  •  as  the  weakest  normal 
□  modality,  i.e. ,  the  necessitation  modality  from  the  modal  logic  K.  Although  these  logics 
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were  classical,  the  interpretation  of  K  says  •  as  a  weak  normal  modality  may  be  useful 
even  in  intuitionistic  authorization  logics.  In  Section  5.3,  we  describe  a  propositional 
intuitionistic  authorization  logic  with  weak  normal  modalities,  and  translate  it  to  DTLo- 
In  Section  5.4  we  present  a  translation  from  a  language  for  writing  authorization  policies, 
namely  Soutei  [47],  to  DTLo- 

Finally,  in  Section  5.5  we  use  a  suggestion  by  Abadi  [2]  and  strengthen  DTLo  to 
a  logic  which  includes  the  axiom  ( K  says  A)  D  K'  says  K  says  A.  We  describe  the 
proof-theory  of  the  logic  briefly  and  show  that  it  admits  a  simple  translation  to  DTLo- 
The  axiom  ( K  says  A)  D  Kl  says  K  says  A  is  stronger  than  axiom  (4)  of  DTLo,  and, 
as  observed  by  Abadi  [2],  seems  to  capture  the  essence  of  says  in  some  languages  like 
Soutei  and  Binder  [24].  Our  translations  formalize  this  observation.  We  also  present  a 
sound  and  complete  translation  from  this  logic  to  CS4. 

5.1  Connection  to  CS4 

Constructive  S4,  or  CS4  for  short,  is  an  intuitionistic  version  of  the  modal  logic  S4  [7, 
13,  46].  As  usual,  it  contains  the  modalities  of  necessity  (□A)  and  possibility  (OA). 
We  are  concerned  here  with  propositional  CS4  without  <)•  A  Hilbert  style  proof  system 
for  this  logic  consists  of  any  axiomatization  of  intuitionistic  propositional  logic,  and  the 
following  rules  and  axioms  for  DA  [7]. 


h  DA 

(nec) 

h  (D(A  D  B))  D  ((DA)  D  (OB)) 

(K) 

h  (DA)  d  □  □  A 

(4) 

h  (DA)  D  A 

(T) 

DTL0  as  a  Generalization  of  CS4.  An  obvious  translation  from  CS4  to  DTLo  is  to 
map  DA  to  £  says  A  and  all  other  connectives  to  themselves.  Remarkably,  this  simple 
translation  is  both  sound  and  complete.  Another  way  to  look  at  this  translation  is  to  say 
that  in  the  degenerate  case  where  there  is  only  one  principal  (say  £)  in  DTLo,  the  sole 
modality  i  says  A  behaves  exactly  like  the  necessitation  modality  DA  from  CS4.  In  fact, 
in  this  degenerate  case  the  natural  deduction  system  for  DTLo  (Figure  1)  reduces  to  the 
judgmental  natural  deduction  system  for  CS4  developed  by  Pfenning  and  Davies  [46]. 
Similarly,  the  sequent  calculus  (Figure  4)  reduces  to  a  corresponding  calculus  for  CS4 
(e.g.,  [32]).  Moreover,  the  Kripke  semantics  of  DTLo  reduce  to  those  of  CS4  described  by 
Alechina  et  al.  [7]  (without  0),  with  the  minor  difference  that  our  treatment  of  falsehood 
uses  fallible  worlds  explicitly.  The  following  theorem  is  straightforward. 

Theorem  5.1.  In  the  special  case  where  there  is  only  one  principal  £  in  DTLo,  the 
following  are  equivalent: 

1.  LA  treating  £  says  •  as  a  CS4  □  modality. 

2.  \-e  A  in  the  natural  deduction  system  of  Figure  1. 
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Proof.  First  we  observe  that  in  the  natural  deduction  system  of  Figure  1,  the  contexts 
associated  with  hypothetical  judgments  become  meaningless  if  there  is  only  one  principal 
£.  This  is  because  the  only  place  where  contexts  are  used  is  the  premise  K'  P  K  of 
the  rule  (claims).  With  only  one  possible  principal,  K'  P  K  is  always  true  by  the  fact 
that  y  is  a  pre-order.  Next  we  observe  that  with  contexts  erased  from  the  hypothetical 
judgments,  the  natural  deduction  system  for  DTLo  becomes  the  same  as  the  judgmental 
natural  deduction  system  of  CS4  [46],  taking  £  claims  A  to  be  the  judgment  called  A  valid 
in  CS4,  and  taking  £  says  A  to  be  OA  in  CS4.  It  follows  then  that  any  theorem  validated 
in  DTLo  f°r  this  degenerate  case  is  also  validated  in  CS4,  and  viceversa.  □ 

The  above  theorem  shows  that  DTLo  generalizes  CS4.  A  different  generalization  of 
CS4  may  be  obtained  by  taking  several  necessitation  modalities  that  are  independent  of 
each  other.  We  call  this  logic  CS4m.  In  the  following  we  briefly  describe  CS4m,  observe 
that  it  is  different  from  DTLo,  and  present  a  sound  and  complete  translation  from  DTLo 
to  CS4m. 

CS4m.  The  logic  CS4m  extends  intuitionistic  propositional  logic  with  one  necessitation 
modality  for  each  principal  K,  written  OkA.  As  in  DTLo,  we  assume  a  pre-order  A 
between  principals,  and  also  that  there  is  a  maximum  principal  £.  The  following  rules 
and  axioms  apply  to  CI^A. 


L  Ok  A 

(nec 

h  (Ok(A  D  B))  D  ((OkA)  D  (OkB)) 

(K) 

b  (OkA)  d  Ok  Ok  A 

(4) 

b  (Ok A)  d  A 

(T) 

b  (Ok A)  D  0K/A  if  K  y  K' 

(S) 

(nec)-(T)  mean  that  each  modality  Ok  behaves  like  a  CS4  necessitation  modality.  Ax¬ 
iom  (S)  incorporates  the  pre-order  y  into  logical  reasoning.  A  simpler  logic,  similar 
to  CS4m,  without  the  pre-order  y  has  been  studied  in  the  past  to  model  knowledge  in 
authorization  policies  [32]. 

Relation  between  CS4m  and  DTLo.  It  is  easy  to  see  that  the  modality  OkA  in 
CS4m  is  quite  different  from  K  says  A  in  DTLo-  For  example,  (Ok  O k'  A)  D  Ok1  A  by 
axiom  (T),  but  I\  says  K'  says  A  does  not  always  imply  K'  says  A  in  DTLo-  However, 
there  is  a  simple  sound  and  complete  translation  from  DTLo  to  CS4m.  Assume  that 
both  the  set  of  principals  and  the  ordering  y  on  them  are  the  same  in  DTLo  and  CS4m. 
Further  assume  that  for  each  principal  K,  there  is  a  distinct  atomic  formula  in  CS4m, 
also  written  K.  Assuming  that  these  atomic  formulas  are  disjoint  from  the  usual  atomic 
formulas  P,  we  define  a  translation  r-n  from  formulas  of  DTLo  to  formulas  of  CS4m  as 
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follows. 


rpn 

rA  A 
r A  V  Bn 
rA  D  B n 
1  I  1 
rTn 

rK  says  An 


P 

M-1  A  rB n 
M-1  V  rHn 
rAn  D  rHn 
T 
_L 

Uk{K  D  rAn) 


The  important  part  of  the  translation  is  the  mapping  of  K  says  A  to  □#( K  D  rAn). 
The  formula  K  on  the  left  of  the  implication  acts  as  a  “guard”  on  rAn,  and  recovers 
the  effect  of  the  context  associated  with  hypothetical  judgments  in  DTLo:  r A n  can  be 
obtained  from  K  D  rAn  only  if  K  is  true.  By  design,  our  translation  ensures  that  K  is 
true  if  and  only  if  we  are  reasoning  in  a  context  weaker  than  K. 

Define  the  set  of  formulas  O  =  {C \e(K  D  K ')  \  K ’  A  K}.  O  captures  the  pre-order  A 
between  principals  as  implications  between  the  representations  of  principals  as  atomic 
formulas.  The  following  theorem  states  the  correctness  property  for  the  translation. 
(We  abuse  notation  slightly  and  use  O  to  also  represent  the  formula  obtained  by  taking 
the  conjunction  of  all  formulas  in  the  set  O.) 


Theorem  5.2  (Correctness).  •  A  in  DTLq  if  and  only  if  h  O  D  (K  D  r A'1)  in 
CS4m. 


Proof.  A  detailed  proof  of  this  theorem  is  in  Appendix  E.  A  brief  outline  of  the  proof 
is  as  follows.  Soundness  (“only  if”  direction)  is  established  by  an  induction  on  proofs 
in  DTLo-  For  convenience,  we  induct  on  proofs  in  the  axiomatic  system,  but  we  could 
also  have  inducted  either  on  proofs  in  the  sequent  calculus  or  on  proofs  in  the  natural 
deduction  system. 

Completeness  (“if”  direction)  is  established  through  a  semantic  argument.  First  we 
define  an  interpretation  of  CS4m  formulas  in  Kripke  models  of  DTLo,  and  show  that 
the  interpretation  is  sound.  This  works  because  the  two  logics  CS4m  and  DTLo  are 
similar.  Next,  we  show  that  for  each  DTLo  formula  A,  j=  A  if  and  only  if  |=  rAn.  Then, 
completeness  of  the  translation  follows  from  completeness  of  DTLo  with  respect  to  its 
Kripke  models  (Theorem  4.3).  Alternatively,  we  could  have  used  a  purely  syntactic 
argument  to  establish  completeness,  as  we  do  for  all  later  translations  in  this  section. 
However,  doing  so  would  require  that  we  also  develop  a  sequent  calculus  for  CS4m. 
Although  this  is  straightforward,  it  was  tempting  to  avoid  the  extra  work,  and  to  use 
the  results  already  developed  for  the  Kripke  semantics  of  DTLo-  Indeed,  this  turned  out 
to  be  a  good  choice  since  the  semantic  proof  is  both  short  and  easy.  □ 


5.2  Translation  from  an  Authorization  Logic  with  Lax  Modalities 

In  the  recent  past,  a  number  of  authorization  logics  have  been  proposed  [3,  25,  31-33] 
that  treat  K  says  •  as  a  modality  from  lax  logic  [12,  27,  28].  The  well  studied  semantics 
and  proof-theory  of  lax  logic  (e.g.,  [7,  27,  38,  46])  generalize  to  these  authorization 
logics  [3,  31,  33].  Also,  useful  meta-theoretic  properties  such  as  non-interference  can  be 
established  readily  for  such  authorization  logics  [3,  33].  Owing  to  these  merits,  a  number 
of  proposals  have  used  authorization  logics  based  on  lax  modalities  (e.g.,  [29,  40,  50]), 
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in  particular  the  interpretation  of  the  Dependency  Core  Calculus  [5]  as  an  authorization 
logic  [3]. 

Although  authorization  logics  that  interpret  K  says  •  as  a  lax  modality  differ  widely 
in  the  connectives  and  constructs  allowed,  an  intuitionistic  propositional  fragment  is 
common  to  all  of  them.  We  call  this  common  fragment  ICL,  borrowing  the  name  from 
earlier  work  [31],  and  show  that  it  can  be  translated  to  DTLo- 

ICL.  The  logic  ICL  extends  intuitionistic  propositional  logic  with  a  principal-indexed 
modality  K  says  •,  which  satisfies  the  following  axioms. 

b  A  D  (K  says  A)  (unit) 

b  (. K  says  (A  D  B))  D  (( K  says  A)  D  K  says  B )  (K) 

b  (. K  says  K  says  A)  D  K  says  A  (C4) 

(unit)  is  the  characterizing  axiom  of  ICL.  It  means  that  any  true  formula  is  believed 
by  all  principals,  thus  making  truth  irrefutable  by  principals,  (unit)  also  subsumes  the 
(nec)  rule.  (C4),  together  with  (unit),  forces  ( K  says  A)  =  (. K  says  I\  says  A).  With 
these  axioms,  K  says  •  behaves  exactly  like  the  lax  modality.  Unlike  DTLo,  there  is  no 
order  between  principals  in  ICL.  A  detailed  description  of  the  proof-theory  and  seman¬ 
tics  of  ICL  may  be  found  in  earlier  work  [3,  31,  33]. 


Translation  from  ICL  to  DTLo.  Let  us  assume  that  all  principals  in  ICL  also  exist 
in  DTLo,  and  that  these  principals  are  unrelated  to  each  other  in  the  order  A.  Then, 
we  may  translate  ICL  to  DTLo  as  follows.  (We  remind  the  reader  that  the  connectives 
global  A  and  K  publ  A  were  defined  in  Section  2.) 


rA  A  B n 
rA  V51 
1  I  1 
rTn 

rA  d  B n 
rK  says  An 


global  P 

rAn  A  rB n 
rAn  V 
T 
T 

global  (rAn  D  rBn) 

global  (K  says  rAn)  =  K  publ  rA~l 


The  basic  idea  of  our  translation  is  to  prefix  some  of  the  connectives  with  the  defined 
modality  global,  so  that  for  each  A,  it  is  the  case  that  rAn  D  global  rAn.6  Then  by 
the  properties  of  global  listed  above,  it  follows  that  rAn  D  rK  says  AT  This  captures 
the  effect  of  the  axiom  (unit)  in  the  translation.  Soundness  of  the  remaining  axioms  of 
ICL  is  straightforward.  Interestingly,  this  translation  is  also  complete.  The  following 
theorem  states  this  formally. 

t 

Theorem  5.3  (Correctness),  b  A  in  ICL  if  and  only  if  ■  — >  rAn  in  DTLq. 

Proof.  Appendix  F  contains  a  complete  proof  of  this  theorem.  Soundness  (“only  if” 
direction)  is  readily  established  by  induction  on  the  derivation  of  b  A.  Completeness 
(“if”  direction)  is  established  using  a  simulation  technique  based  in  sequent  calculi. 

6  Our  translation  is  inspired  by,  and  resembles  Godel’s  translation  from  intuitionistic  logic  to  classical 
modal  S4,  where  a  □  is  put  before  each  connective  [36]. 
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First,  we  syntactically  characterize  those  DTLo  sequents  that  may  occur  in  the  proof  of  a 
formula  obtained  by  translation.  These  sequents  are  called  regular.  This  characterization 
relies  on  the  subformula  property  of  DTLo’s  sequent  calculus.  Next,  we  define  an  inverse 
translation  from  regular  sequents  to  sequents  of  ICL,  and  use  induction  on  sequent 
calculus  derivations  to  prove  a  simulation  result:  any  DTLo  proof  ending  in  a  regular 
sequent  can  be  simulated  in  ICL.  From  this  fact  completeness  follows  immediately.  This 
method  scales  quite  well  to  translations  between  other  logics  as  long  as  the  target  of  the 
translation  has  a  sequent  calculus  with  the  subformula  property.  In  particular,  we  use 
the  method  to  prove  completeness  of  all  translations  described  later  in  this  section.  For 
some  other  applications  of  the  method,  see  prior  work  [31,  34].  □ 


5.3  Translation  from  an  Authorization  Logic  with  Weak  Normal  Modal¬ 
ities 

A  necessitation  modality  is  called  normal  if  it  satisfies  the  rule  (nec)  and  the  axiom  (K). 
In  the  earliest  authorization  logics  [6,  39],  each  modality  K  says  •  was  treated  as  the 
weakest  possible  necessitation  modality,  i.e.,  a  modality  that  admits  (nec),  (K),  and  their 
consequences  only.  Although  these  early  logics  were  classical,  the  treatment  of  K  says  • 
as  the  weakest  normal  necessitation  modality  may  be  interesting  in  an  intuitionistic  au¬ 
thorization  logic  as  well.  In  the  following  we  present  an  intuitionistic  authorization  logic 
that  admits  only  (nec)  and  (K),  and  describe  a  sound  and  complete  translation  from  it 
to  DTLo.  We  call  the  new  logic  UK  (Indexed  Intuitionistic  K). 

IIK.  The  logic  UK  is  an  extension  of  intuitionistic  propositional  logic  with  formulas 
K  says  A  that  satisfy  the  following  rule  and  axiom: 

h  A 

-  (nec 

h  K  says  A 

h  (K  says  ( A  D  B))  D  ((K  says  A)  D  ( K  says  B ))  (K) 

These  two  together  imply  that  for  each  K ,  K  says  •  is  the  weakest  normal  necessitation 
modality.  As  in  ICL,  there  is  no  order  between  principals  in  IIK. 


Translation  to  DTLo.  We  assume  the  existence  of  a  distinguished  principal  d  in  DTLo 
that  is  distinct  from  t  and  all  principals  in  IIK  and  that  is  unrelated  in  the  order  to 
all  principals  except  itself  and  t.  Then  we  define  a  translation  from  IIK  to  DTLo  as 
follows. 

rPn 

rA  A  Bn  = 
rA  V  Bn  = 

1  I  1 
r_Ln 


P 

rAn  A  r5n 
rAn  V  rB n 
T 
T 


rA  D  B^  =  rAn  D  rBn 
rK  says  An  =  d  says  K  says  rA~l 


This  translation  maps  all  connectives  except  says  to  themselves,  and  maps  K  says  A  to 
d  says  K  says  A.  It  is  easy  to  check  that  the  compound  connective  d  says  K  says  •  admits 
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both  the  rule  (nec)  and  the  axiom  (K)  in  DTLo,  but  not  the  axioms  (C)  and  (4).  This 
ensures  that  the  translation  is  both  sound  and  complete.  The  following  theorem  states 
this  formally. 

£ 

Theorem  5.4  (Correctness),  H  A  in  UK  if  and  only  if  ■  — >  rA~'  in  DTLq. 

Proof.  See  Appendix  G.  □ 

5.4  Translation  from  Soutei 

Soutei  is  a  trust  management  system  for  enforcing  authorization  policies  [47].  Soutei’s 
language  for  writing  authorization  policies  has  a  syntax  similar  to  that  of  authorization 
logics.  For  instance,  there  is  a  construct  K  says  A,  and  there  are  conditionals  similar  to 
logical  implication.  Like  other  trust  management  systems  (e.g.,  [16-18]),  Soutei  is  query 
based:  other  programs  provide  authorization  policies,  and  ask  whether  specific  autho¬ 
rizations  follow  from  them.  Soutei’s  mechanism  for  query  evaluation  is  based  on  ideas 
from  logic  programming.  There  are  fixed  inference  rules  that  constitute  a  decision  pro¬ 
cedure  similar  to  backchaining.  Although  the  policy  language  is  first-order,  we  consider 
here  only  a  simplified  propositional  fragment  of  the  language  and  show  that  it  can  be 
translated  into  DTLo-  For  the  lack  of  a  better  name,  we  call  Soutei’s  policy  language  SL. 

SL.  Soutei’s  policy  language  is  based  on  another  language  for  writing  authorization 
policies,  Binder  [24].  Policy  statements  (called  clauses)  are  divided  into  disjoint  sets 
called  assertions.  Each  assertion  has  a  name,  which  is  analogous  to  a  principal  in 
authorization  logics.  If  Ai, . . . ,  An  are  the  clauses  in  an  assertion  named  K,  then  we  may 
think  of  the  whole  assertion  as  the  hypothesis  K  publ  A±, . . . ,  K  publ  An.  A  simplified 
and  abstracted  syntax  for  SL  without  first-order  quantification  is  shown  below. ' 


Principals  or  names 

K 

Atomic  Formulas 

P 

Goals 

G  : 

:=  P  | 

K  says 

Clauses 

A 

:=  P  <- 

-  G\, . . 

Assertions 

A 

:=  Ai, 

. . . ,  An 

Named  assertions 

N 

:=  K  : 

A 

Hypotheses 

r  : 

:=  NU 

Queries 

q  : 

:=  A  Hr  G 

Policy  statements  are  represented  as  clauses  that  have  the  form  P  <—  G i, ,  Gn ,  where 
P  is  an  atomic  formula  and  each  Gi  is  either  an  atomic  formula  or  has  the  form  K  says  P. 
As  usual,  the  entire  clause  means  that  P  holds  if  each  of  G\, . . . ,  Gn  holds,  n  may  be 
zero,  in  which  case  P  is  a  fact.  An  assertion  A  is  a  set  of  clauses.  A  named  assertion 
is  a  pair  K  :  A  containing  an  assertion  and  a  principal.  The  principal  is  a  name  for 
the  assertion,  and  may  represent  a  physical  domain  (such  as  a  computer  or  a  user) 
inside  which  policies  contained  in  the  assertion  hold.  The  set  of  all  named  assertions 
is  called  the  hypothesis  T.  It  is  assumed  implicitly  that  the  names  of  all  assertions  in 
r  are  distinct.  Queries  are  evaluated  relative  to  the  hypothesis  F  and  an  assertion  A 

'  We  change  Soutei’s  original  notation  to  make  it  consistent  with  our  own  notation.  We  also  simplify 
the  evaluation  rules  slightly,  without  affecting  their  consequences. 
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containing  clauses  which  are  valid  at  the  point  of  evaluation.  As  evaluation  of  a  query 
proceeds,  A  may  change,  but  L  remains  fixed.  Evaluation  of  queries  is  goal  directed, 
and  uses  the  following  two  rules: 

(P  <—  Gi, ,  Gn)  G  A  (A  hr  Gi)ie{ii...,n}  (K:A)eT  A  hr  P 

- be  - ; - says 

A  hr  p  A'  hr  K  says  P 

The  rule  (be)  means  that  P  holds  if  there  is  a  clause  P  G\, . . .  ,Gn  in  the  valid 
assertion,  and  each  G*  holds.  This  is  the  standard  backchaining  rule  for  logic  programs. 
The  rule  (says)  means  that  K  says  P  is  true  if  in  the  assertion  A  named  K,  P  is  true. 
At  the  top  level,  evaluation  of  a  query  begins  in  an  assertion  that  has  the  distinguished 
name  system. 


Translation  from  SL  to  DTLo.  Let  us  assume  that  DTLo  contains  all  principals  in 
SL,  including  the  distinguished  principal  system  and  in  addition  contains  the  principal 
t.  We  further  assume  that  principals  are  only  related  to  themselves  and  l  in  the  order 
y.  Then,  we  define  the  following  translation  from  SL  to  DTLo. 


Goals  G 

Clauses  A 

Assertions  A 

Named  assertions  N 
Hypotheses  T 


rpn 

rK  says  P”1 

'  Gi, . . .  ,GV 


A  i 

'  -tin 


' K:AU 

rNi, . . . ,  IVfc”1 


A  i 
■n-n 


P 

K  publ  P 

(rGr  A  ...  A  rGnn)  D  P 

D4r,...,rA^ 

K  publ  rA\n, . . . ,  K  publ  rAn~l 
rAin, . . . ,  rNk~' 


The  most  significant  part  of  the  above  translation  is  the  use  of  the  defined  connective 
publ  to  translate  goals  of  the  form  K  says  P  as  well  as  named  assertions.  Since  named 
assertions  are  always  available  in  SL  (hypothesis  never  change  when  we  evaluate  a  query) , 
it  is  essential  that  the  same  be  true  in  the  image  of  the  translation.  Using  publ  in  the 
translation  of  named  assertions  ensures  this.  The  use  of  publ  in  the  translation  of  goals 
of  the  form  K  says  P  is  optional;  we  could  also  have  translated  goals  K  says  P  to 
K  says  P,  without  affecting  the  correctness  of  the  translation,  which  is  stated  in  the 
following  theorem. 

Theorem  5.5  (Correctness).  Suppose  ( K  :  A)  £  T.  Then  A  hr  G  in  SL  if  and  only  if 
rTn,rAn  rGn  in  DTL0. 

Proof.  See  Appendix  H.  □ 


5.5  “Binder”  Logic  and  its  Translation 

In  this  section  we  consider  a  logic  containing  an  axiom  that  is  stronger  than  (4).  We 
call  this  axiom  (Bind)  for  reasons  that  will  soon  be  clear. 

(. K  says  A)  D  K 1  says  I\  says  A  (Bind) 

The  (Bind)  axiom  dates  back  to  a  survey  of  applications  of  logic  in  access  control  by 
Abadi  [2] .  In  that  paper,  Abadi  states  that  the  (Bind)  axiom  is  closely  connected  to  the 
authorization  language  Binder  [24].  (Recall  from  Section  5.4  that  Binder  is  the  precursor 
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to,  and  very  similar  to,  Soutei’s  policy  language  SL.)  The  paper  suggests  that  this  axiom, 
together  with  some  other  basic  modal  axioms,  is  sufficient  to  justify  Binder’s  rules.  It 
follows  from  the  connections  between  Binder  and  SL  that  the  same  set  of  axioms  is  also 
sufficient  to  justify  SL’s  evaluation  rules.  It  is  not  mentioned  if  Binder’s  evaluation  rules 
are  complete  with  respect  to  this  axiom. 

(Bind)  is  interesting  from  our  perspective  because  replacing  axiom  (4)  with  (Bind) 
in  DTLo  results  in  a  new  authorization  logic,  which  we  call  BLo-8  This  logic  is  closely 
related  to  DTLo  and  also  has  very  appealing  proof-theoretic  properties.  First,  says  in 
this  new  logic  behaves  exactly  like  the  defined  connective  publ  in  DTLo-  In  fact  we 
show  that  BLo  may  be  embedded  into  DTLo  by  mapping  K  says  A  to  K  publ  A  and 
all  other  connectives  to  themselves.  Second,  we  obtain  a  sequent  calculus  for  BLo  by 
making  a  small  change  to  the  sequent  calculus  of  DTLo-  Third,  we  show  that  SL  can 
be  interpreted  in  BLo  in  a  sound  and  complete  manner  through  a  translation  that  maps 
named  assertions  using  says,  thus  formulating  a  variant  of  Abadi’s  observation  as  a 
concrete  theorem.  Fourth,  we  argue  that  ICL  can  be  embedded  in  BLo  in  a  sound  and 
complete  manner,  using  the  translation  described  in  Section  5.2.  Finally,  we  adapt  the 
translation  from  DTLo  to  CS4m  presented  in  Section  5.1  to  obtain  a  translation  from 
DTLo  to  CS4.  Although  we  do  not  do  so  here,  we  also  expect  that  there  are  sound 
and  complete  Kripke  semantics  for  BLo  that  are  very  similar  to  (but  simpler  than)  the 
Kripke  semantics  of  DTLo  (Section  4). 

The  Logic  BLo 

BLo  extends  intuitionistic  propositional  logic  with  the  modality  I\  says  A  satisfying  the 
following  rules  and  axioms. 


h  K  says  A 

(nec) 

b  (K  says  ( A  D  B))  D  (( K  says  A)  D  ( K  says  B )) 

(K) 

b  (K  says  A)  D  K'  says  K  says  A 

(Bind) 

b  K  says  (( K  says  A)  D  A) 

(C) 

The  axiom  (Bind)  generalizes  axiom  (4)  of  DTLo-  Unlike  DTLo,  we  do  not  assume  any 
order  between  principals  (although  such  an  extension  is  easily  conceivable).  A  sequent 
calculus  for  BLo  is  shown  in  Figure  5.  This  sequent  calculus  is  a  modification  of  the 
sequent  calculus  for  DTLo  (Figure  4).  The  notation  F  in  the  rule  (saysR)  denotes  the 
set  containing  “claims”  of  all  principals. 

T|  =  {K  claims  C  <E  T} 

This  change  in  the  restriction  operator  is  sufficient  to  capture  the  generalization  from 
axiom  (4)  to  (Bind).  Besides  this  difference,  the  rule  (claims)  is  modified  slightly  to 
eliminate  the  order  Although  we  do  not  do  so  here,  we  may  also  prove  admissibility 
of  cut  and  identity  theorems  (Section  3.5)  for  BLo-  The  following  theorem  shows  that 
the  sequent  calculus  and  axiomatic  system  for  BLo  are  equivalent. 

sBLo  is  a  fragment  of  a  larger  logic  BL,  just  as  DTLo  is  a  fragment  of  DTL.  BL  stands  for  “Binder 
Logic”,  since  its  says  modality  is  closely  related  to  the  policy  language  Binder  [24]. 
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Figure  5:  Sequent  calculus  for  BLo 

Theorem  5.6  (Equivalence).  •  A  in  BLq ’s  sequent  calculus  if  and  only  if  h  K  says  A 
in  BLq ’s  axiomatic  system. 

Proof.  See  Appendix  I.  □ 

Translation  from  BLo  to  DTLo 

The  modality  K  says  A  in  BLo  behaves  exactly  like  K  publ  A  in  DTLo-  In  fact,  we 
may  translate  BLo  to  DTLo  by  mapping  says  to  publ  as  follows.  (We  assume  that  all 
principals  in  BLq  are  distinct  from  l.  Also,  we  use  the  notation  [•]  for  the  translation 


instead  of  our  usual  notation  r-n  to  distinguish  it  from  the  translation  from  SL  to  BLq 

that  follows.) 

m 

=  P 

\A  A  B} 

=  [A]A[B] 

\A  V  .B] 

=  m  v  [bj 

m 

=  T 

m 

=  _L 

{AdB} 

=  [A)d[B] 

\K  says  AJ 

=  Ii  publ  [A] 

This  simple  translation  is  both  sound  and  complete,  as  the  following  theorem  shows. 

K  K 

Theorem  5.7  (Correctness).  T  — >  A  in  BLq ’s  sequent  calculus  if  and  only  if  [F]  — ►  [A] 

in  DTLo ’s  sequent  calculus. 
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Proof.  See  Appendix  I. 


n 


Translation  from  ICL  to  BLo 

The  translation  from  ICL  to  DTLo  described  in  Section  5.2  is  also  sound  and  complete  if 
the  target  logic  is  BLo-  Of  course,  we  need  to  assume  that  BLo  also  has  a  local  authority 
£,  and  modify  the  rule  (claims)  accordingly.  The  reason  that  this  works  is  as  follows. 
Consider  a  formula  A  in  ICL.  We  may  translate  this  to  DTLo  in  two  ways.  First,  we 
may  translate  it  directly  using  the  translation  from  Section  5.2,  obtaining  r A~ L  Second, 
we  may  translate  it  to  BLo  using  the  same  translation  and  then  further  translate  it  to 
DTLo  using  the  translation  described  above,  obtaining  [rAn].  Now  it  is  easy  to  show 

by  induction  on  A  that  in  DTLo,  D  rA~'  iff  F  [rAn].  Hence  by  Theorems  5.3 
and  5.7  we  get  b  A  in  ICL  iff  •  rAn  in  DTLo  iff  ■  — >  [rbP]  in  DTLo  iff  ■  — >  rAn  in 
BL0. 


Translation  from  SL  to  BLo 

We  may  translate  SL  to  BLo,  much  like  we  translated  SL  to  DTLo-  Since  the  modality 
K  says  A  in  BLo  behaves  like  I\  publ  A  in  DTLo,  we  use  says  in  place  of  publ  everywhere. 


Goals  G 

Clauses  A 

Assertions  A 

Named  assertions  N 
Hypotheses  T 


rK  says  Pn 

rP  <—  Gi, . . . ,  GS 
rAi, . . . ,  AS 
rK  :  A\, ,  AS 
rNu...,NS 


P 

K  says  P 

{rGS  A  ...  A  rGn ->)  D  P 
'-A^,...,'- AS 
K  says  rAS, . . . ,  K  says  rAn~l 
rNS,...,rNS 


Once  again,  this  translation  is  sound  and  complete. 

Theorem  5.8  (Correctness).  Suppose  ( K  :  A)  £  T.  Then  A  bp  G  in  SL  if  and  only  if 
rrn,rAn  rGn  in  BL0. 

Proof.  Note  that  we  have  two  translations  from  SL  to  DTLo-  First,  we  have  the  trans¬ 
lation  r-n  from  Section  5.4.  Second,  we  may  compose  the  translations  r-n  :  SL  — ►  BLo 
and  [•]  :  BLo  - >  DTLo  that  are  described  above.  It  is  very  easy  to  check  that  the  two 
translations  are  the  same.  ([•]  maps  says  to  publ,  which  compensates  the  only  difference 
between  the  translations  from  SL  to  BLo  and  SL  to  DTLo-)  Thus  we  get, 

A  bp  G  in  SL  Tn,  rAn  rGn  in  DTL0  (Theorem  5.5) 

=  [rrl,[rAl^[rGH]inDTL0  (r^  =  rSB) 

<->  rrn,rAn  rG~'  in  BLo  (Theorem  5.7) 
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Translation  from  BLo  to  CS4 

Finally,  we  adapt  the  translation  from  DTLo  to  CS4m  (Section  5.1)  to  obtain  a  trans¬ 
lation  from  BLq  to  CS4.  The  difference  between  the  translations  is  that  here  we  use  □ 


27 


instead  of  for  translating  K  says  A.  This  not  only  simplifies  the  translation,  but 
also  captures  the  effects  of  the  axiom  (Bind). 


rpn 

rA  A 
riVBn 
rA  D  B n 
1  I  1 
rTn 

rK  says  An 


P 

rAn  A  r£n 
rAn  V  rBn 
rAn  D  r5n 
T 
_L 

D(K  D  rAn) 


Theorem  5.9  (Correctness).  •  A  in  BLq  if  and  only  if  h  K  D  rAn  in  CSf. 
Proof.  See  Appendix  I. 
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6  Related  Work 

Many  authorization  logics  have  been  proposed  in  the  past,  all  of  which  contain  the 
modality  K  says  A  [2,  3,  8-10,  21,  23,  25,  31-33,  40,  41].  The  axioms  and  rules  used 
in  these  logics  differ  widely.  The  particular  combination  of  rules  used  in  DTLo  appears 
to  be  novel.  Perhaps  most  closely  related  to  DTLo  is  a  proposal  by  Abadi  in  a  survey 
paper  [2],  where  the  axiom  ( K  says  A)  D  ( K '  says  K  says  A)  is  suggested,  says  with  this 
axiom  behaves  very  much  like  the  defined  connective  publ  in  DTLo-  In  a  recent  paper, 
Abadi  studies  connections  between  many  possible  axiomatizations  of  says,  as  well  as 
higher  level  policy  constructs  such  as  delegation  and  control  [4]. 

Also  related  to  DTLo  is  work  on  languages  for  authorization  (e.g.,  [11,  24,  37,  47]), 
most  notably  the  languages  Soutei  and  Binder  [24,  47].  Our  use  of  the  term  “context” 
is  borrowed  from  the  latter.  Binder  was  also  one  of  the  earliest  languages  to  explicitly 
define  a  notion  of  exporting  policies  from  one  context  to  another,  which  is  very  similar  to 
publication  of  policies  illustrated  in  Section  2.  The  pre-order  A  on  principals  draws  on 
ideas  from  the  Dependency  Core  Calculus  [3,  5],  where  the  modal  indices  are  elements 
of  a  lattice. 

Our  Kripke  semantics,  as  well  as  the  completeness  proof,  are  based  on  those  of 
Alechina  et  al’s  work  [7]  for  constructive  S4.  View  functions  were  used  earlier  by  the  au¬ 
thor  and  Abadi  to  describe  semantics  of  authorization  logics  with  lax- like  modalities  [31]. 
Fallible  worlds  have  been  used  in  the  past  to  explain  intuitionistic  logic  [26,  49],  and  also 
in  semantics  of  lax  logic  [27].  It  also  appears  to  us  that  DTLo  may  be  closely  related 
to  intuitionistic  hybrid  logics,  and  especially  to  the  work  of  Chadha  and  others  [22], 
but  further  investigation  is  needed  to  make  an  explicit  connection.  The  presentation  of 
the  sequent  calculus  for  DTLo  is  inspired  by  Pfenning  and  Davies’  work  on  constructive 
S4  [46] ,  and  more  directly  by  earlier  work  of  the  author  and  others  [32] . 

7  Conclusion 

We  have  presented  a  new  constructive  authorization  logic,  which  explicitly  relativizes 
hypothetical  reasoning  to  the  policies  of  individual  principals.  We  have  described  the 


28 


proof-theory  and  Kripke  semantics  of  the  logic.  In  ongoing  work,  we  are  considering 
extensions  of  the  logic  with  first-order  connectives,  explicit  time,  and  linearity  to  model 
other  policy  motifs.  In  a  separate  line  of  research,  we  are  implementing  a  file  system 
that  uses  this  logic  to  represent  policies  of  access  control. 

There  are  several  other  avenues  for  future  work.  For  instance,  there  seem  to  be 
strong  connections  between  DTLo  and  hybrid  logics.  A  useful  generalization  of  DTLo 
would  be  to  internalize  the  pre-order  ^  as  a  formula.  Such  an  extension  would  allow  us 
to  model  delegation,  along  lines  of  the  “speaks  for”  connective  present  in  some  autho¬ 
rization  logics  [3,  6,  31,  39].  Although  the  proof-theory  of  such  an  extension  is  relatively 
straightforward,  it  would  be  interesting  to  see  its  effects  on  Kripke  semantics. 

Acknowledgment.  The  author  wishes  to  acknowledge  Frank  Pfenning  for  discussions 
and  feedback  on  the  logic  and  the  paper,  and  Martin  Abadi  for  feedback  on  the  logic. 
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A  /^-reduction  and  ^-expansion 

This  appendix  lists  all  the  /3-reduction  and  //-expansion  rules. 


/3-reduction 

T  FK  ti  :  A  ThK  t,2:  B  T  \~K  h  :  A  T  hK  t2  :  B 

T  hAproji  (ti,t2)  h  :  A  T  bAproj2  (h,t2)  '^0  h  :  B 

ThK  t:  A  T,x:  AhK  h  :  C  r,y  :  B  hK  t2  :  C 
T  bA  case(inl  t,x.ti,y.t2)  [t/x]t\  :  C 


r  bA' t  :  B  T,x:  AhK  h:C  T,y  :  B  hK  t2  :  C 
T  bA  case(inr  t,x.t\,y.t2)  [t/y]t2  :  C 

r,  x  :  A  hK  ti  :  B  F  bA'  t2  :  A  T|A  bA' t,  :  A  F,  x  :  K  claims  A  \~K'  t2  :  C 
r  bA  (Axil)  t2  [t2/x]ti  :  B  r  bA'  ({ti}K^x.t2)  [h/x]t2  :  C 


77-eXpansion 


r  \~K  t  :  A  A  B  r  bA' t  :  A  V  B 

T  bA  t  (proji  t,proj2  t)  :  A  A  B  T  hA  i  cas e(t,x.  ini  x,y.  inr  y)  :  A  V  B 


T  \~K  t  :  T 
r  bA' t  0  :  T 


r  hK t  :  _L 

r  bA  t  ~^ri  abort  t 


r  bA" 


rbA'i:A3B 

_ (x  dL  p~) 

t  A  x.(t  x)  :  Ad  B 


r  bA  t  :  I\  says  A 
T  bA  t  (t=^x.{x}A)  :  K  says  bl 
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Congruence  rules 


IV  b K  t^t'  :  A 
T  \-K'  {t}x  {t'}K  '■  K  says  A 


T  bA  t\  t\  :  K  says  A  T,x  :  K  claims  A  \~K  t2  :  C 
T  bA  ( t\^>x.t2 )  (t'i=>x.t 2)  :  C 

T  bA  ij  :  K  says  ^4  T,  x  :  Ji  claims  ^4  bA  t2  t'2:  C 
T  bA  (ti^x.t2)  (ti^x.t'2)  '■  c 


r  bA'  b  A  V\-K  t2:B 

r  bA  <i1,t2)~><t'1,i2):AAB 

T  bA  (proji  t)  (proji  t')  :  A 
rhA't-»t':4 

r  bA  (ini  i)  (ini  t')  :  A\/  B 
T  b K  t^t'  :  A\/  B 


V\~K  h:  A  V\-K  t2^t2:B 
ThK  (t^)  (tulti  :  A  A  B 

T  bK  t  t'  :  A  A  B 
T  bA  (proj2  t)  (proj2  t')  :  B 

r  bA' t  t!  :  B 

r  bA'  (inr  f)  (inr  t')  :  AV  B 


T,x  :  A\~K  ti  :  C  T,y.BhKt2:C 
•w  case(iV-^i)  y.t2)  :  C 


rh^t:4VB  r,  x  :  ^  b^  q  t[  :  C  T,y  :  B  hK  t2  :  C 
T  bA  case{t,x.ti,y.t2)  cas e(t,x.t'lly.t2)  :  C 


rb^bvlVB  r,  x  :  A  bA'  h  :  C  T,y  :  B  \-K  t2  t'2  :  C 
T  bA  case(t,x.ti,y.t2)  caLse(t,x.ti,y.t2)  :C 

rb^f^lbl  T,  x  :  A  bK  t  t'  :  B 

r  bA  (abort  i)  (abort  tr)  :  C  T  \~K  A x.t  -w  Ax.t/  :  A  D  B 


r  bA'  ti  t;  :  A  D  B  r  bK  t2  :  A 
r  bx  f  1  t2  -W  f)  t2  :  -B 


r  b^  t±  :  A  D  B  r  b^  t2  t2  :  A 
r  b^  ti  t2  t\  t'2  \  B 


B  Properties  of  the  Sequent  Calculus  (Section  3.5) 

In  this  appendix,  we  describe  proofs  of  Theorems  from  Section  3.5.  We  start  with  sub¬ 
sumption. 


K 

Theorem  B.l  (Subsumption;  Theorem  3.6).  T  — >  A  and  K  P  K'  imply  T  — >  A. 
Proof.  By  induction  on  the  given  derivation  of  T  A.  We  analyze  cases  of  the  last 
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rule  in  the  derivation. 


P  atomic 

Case.  - — - init 

T,P-^P 

K' 

i.  r,p  p 

T,  K"  claims  A,A^C  K"  A  K 
Case.  - — - claims 

T,K"  claims  A  -A  C 

1.  T,K"  claims  A,  A  C 

2.  K"  P  K 

3.  K  y  K’ 

4.  K"  y  I<' 

5.  r ,K"  claims  A  C 

K" 

r| K„  a 

Case.  — — - saysR 

r  A>  K"  says  A 

K" 

1.  r\KI/  ^  a 

2.  T  K"  says  A 

T,  K"  says  A.  K"  claims  A  -—>  C 
Case.  - — - saysL 

T,  K"  says  A  -A-  C 

1.  T,  K"  says  A,  K"  claims  A  C 

2.  r,  K"  says  A^C 


r  b 

Case.  - — - AR 


(Rule  (init)) 


(i.h.) 
(Premise) 
(Assumption) 
(Transitivity  2,  3) 

(Rule  (claims)  1,  4) 

(Premise) 
(Rule  (saysR)) 


(i.h.) 

(Rule  (saysL)) 


(i.h.) 

(i.h.) 

(Rule  (AR)  1,  2) 
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(i.h.) 
(Rule  (AL)) 

(i.h.) 
(Rule  (V  Ri)) 

(i.h.) 
(Rule  (V  R2)) 

(i.h.) 

(i.h.) 

(Rule  (V  L)  1,  2) 

(Rule  (TR)) 

(Rule  (_LL)) 

(i.h.) 
(Rule  (DR)) 


36 


Case. 


T,A  D  B 


K 


A 


r,  A  D  B,  B 


K 


c 


T,Ad  b 


K 


OL 


c 


1.  r,  A  D  B 


K' 


A 


2.  r,  A  D  B,B 


A" 


c 


3.  r,  A  D  B 


K 


c 


(i.h.) 
(i.h.) 
(Rule  (DL)) 
□ 


Theorem  B.2  (Admissibility  of  Cut;  Theorem  3.7).  The  following  cut  principles  hold 
for  the  sequent  calculus  of  Figure  4- 

1.  r  A  and  T,  A  C  imply  that  T  C . 

2.  T|a'  — A  and  T,K  claims  A  C  imply  that  T  C. 

Proof.  We  prove  both  statements  simultaneously  by  lexicographic  induction,  first  on 
the  size  of  the  cut  judgment,  and  then  on  the  size  of  the  two  given  derivations,  as 
in  earlier  work  [45].  For  the  size  of  the  cut  judgment,  we  assume  the  strict  order 
(K  says  A)  true  >  ( K  claims  A)  >  A  true.  We  analyze  cases  on  the  last  rules  in  the  two 
given  derivations,  which  we  name  T>  and  £  respectively.  We  classify  all  the  rules  into 
right  and  left.  Right  rules  are  (saysR),  (AR),  (V  Ri),  (V  R2),  (TR),  and  (aR).  The 
remaining  rules,  including  (init) ,  are  left  rules. 

For  proving  (1),  we  first  analyze  three  broad  categories: 

1.  £  ends  in  a  right  rule. 

2.  £  ends  in  a  left  rule,  and  the  cut  is  non-principal. 

3.  T>  ends  in  a  left  rule. 

This  leaves  only  the  possibility  where  £  ends  in  a  left  rule,  V  ends  in  a  right  rule,  and 
the  cut  is  principal.  In  this  case  we  observe  that  the  last  rules  in  V  and  £  must  be  right 
and  left  rules  of  the  same  connective.  We  call  these  cases  principal  cuts. 

For  proving  (2),  we  analyze  cases  on  the  last  rule  in  £. 

Proof  of  (1). 

Cases  where  £  ends  in  a  right  rule. 

■y— .  I  K 


Case.  £  = 


\I< 


B 


K 


-saysR 


(Note:  A<£T\k) 


r,  A  — >  K  says  B 


1.  r 


K 


K' 


I< 


B 


2.  T  — >  K  says  B 


(Premise) 
(Rule  (saysR)) 
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Case.  £  = 


T,A^Ci  F,A^C2 

t,a^c1ac2 


AR 


1.  r  ^  Ci 

2.  T  ~^C2 

3.  r  4  Ci  a  c2 

Case.  £  = 


r,A  *+C7i 


r,A 


K 


Ci  vc2 


-V  Ri 


T\ 

1.  T-^C1 


2.  r 


a 


Cl  vc2 


r,A  c2 

Case.  £  =  - — - V  R2 


T,A 


A 


Cl  vc2 


i.  r  ^  c2 


2.  r 


a 


Ci  vc2 


Case.  £  = 


r,A  t 


TR 


i.  r  t 


A 


r,  a,  Ci  c2 

Case.  £  =  - —  D R 

r,Al^Ci  DC2 


A 


i.  r,Ci  ac2 


A 


2.  r  a  Ci  d  c2 


(i.h.  on  D  and  1st  premise) 
(i.h.  on  T>  and  2nd  premise) 
(Rule  (AR)) 


(i.h.  on  T>  and  premise) 
(Rule  (V  Ri)) 


(i.h.  on  T>  and  premise) 
(Rule  (V  R2)) 


(Rule  (TR)) 


(i.h.  on  T>  and  premise) 
(Rule  (DR)) 


Cases  where  £  ends  in  a  left  rule  and  cut  is  not  principal. 


P  atomic 

Case.  £  =  - — - init 

T,A,P  P 


1.  r,p  ^  P 


(Rule  (init)) 


r,  A,  K'  claims  B,B  K'  A  K 

Case.  £  =  - — - claims 


T,A,K'  claims  B  ^  C 
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1.  r ,K'  claims  B,B  C 

2.  T ,K'  claims  B  ^  C 

T,  A.  K'  says  B ,  IC'  claims  B  ^  C 
Case.  £  =  - — - saysL 

T,  A,  K'  says  B  C 

1.  T,  K'  says  B,  K'  claims  B  C 

2.  T ,K'  says  B  ^  C 


Case.  £ 


t,a,b1ab2,b1  ,b2^c 

- K - AL 

T,A,BX 


1.  T,  B\  A  B2l  Bi,  b2  —>  c 

2.  T,  B\  A  b2  —>  c 


(i.h.  on  D  and  premise) 
(Rule  (claims)) 


(i.h.  on  T>  and  premise) 
(Rule  (saysL)) 


(i.h.  on  T>  and  premise) 
(Rule  (AL)) 


Case.  £ 


r,  a.  B\  v  b2,  B\  — >  c  r,  a,  B\  v  b2 ,  b2 

T,A,B1  V  B2  ^  C 


I\ 


c 

— V  L 


1.  r,B1  y  b2,b1 

2.  T,B1  V  B2,B2 

3.  r,BiVB2^C 

Case.  £  =  - _LL 

T,A,±  C 


(i.h.  on  V  and  1st  premise) 
(i.h.  on  T>  and  2nd  premise) 
(Rule  (VL)) 


1.  r,_L 


(Rule  (_LL)) 


Case.  £  = 


T,  A,  B\  D  b2 


I\ 


B, 


T,A,Bi  D  B2,B2 


K 


c 


T,A,Bl  d  b2 


K 


-dl 


c 


1.  t,b1  3  524bi 

2.  T,Bi  DB2,B2-^AC 

3.  r,  B\  D  b2  c 


(i.h.  on  V  and  1st  premise) 
(i.h.  on  T>  and  2nd  premise) 
(Rule  (dL)) 


Cases  where  T>  ends  in  a  left  rule. 


A  atomic 

Case.  V  =  - — - init 

T,A^  A 
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(Assumption) 

(Strengthening) 


1.  £  ::  T,A,A-^  C 

2.  T,A-^C 


T,  K'  claims  B,B  ^  A  K' t  K 
Case.  V  =  - — - claims 

T,  K’  claims  B  ^  A 

1.  £  ::  T,  K'  claims  B,A^C 

2.  T  ,/C  claims  B,B,A^C 

3.  r,/C  claims  B,B 

4.  r,K'  claims  B  C 

T,  K'  says  B ,  /C  claims  5  A 
Case.  P  =  - — - saysL 

T,  K1  says  B  ^  A 

1.  £  ::  r,iC  says  B,A^*C 

2.  T,  K’  says  5,  K’  claims  B,A^C 

3.  T,  K’  says  L>,  K’  claims  B  —>■  C 

4.  r,  K'  says  5  C 


(Assumption) 
(Weakening) 
(i.h.  on  premise  and  2) 
(Rule  (claims)) 


(Assumption) 
(Weakening) 
(i.h.  on  premise  and  2) 
(Rule  (saysL)) 


r,  B\  A  B2,  B\,  B2  — 
ise.  D  =  - - - 

T1B1  AB2  A 

1.  £  ::  T,B1  A  B2,A^C 

2.  T,B1/\B2,Bl,B2,A^C 

3.  T,B1AB2,B1,B2^C 

4.  r,  B\  A  b2  c 


A 

—  AL 


Case.  V 


r,Ri  v  b2,  b 


I< 


A 


r,  Bi  v  b2 ,  b2 


K 


A 


K 


-V  L 


r,BiVB2^d 


(Assumption) 
(Weakening) 
(i.h.  on  premise  and  2) 
(Rule  (AL)) 


1.  £  ::  r,Ri 

2.  V  B2,BUA-^  C 

3.  r,^i  v  b2,b1  ^  c 
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(Assumption) 
(Weakening  on  1) 
(i.h.  on  1st  premise  and  2) 


(Weakening  on  1) 
(i.h.  on  2nd  premise  and  4) 
(Rule  (VL)  on  3,  5) 


4.  T,B1  VB2,B2,A^>C 

5.  T,BiV  B2,B2^C 

6.  r,BiVB2^C 

Case.  V  =  - 7 - _LL 

r,_L  a 

1.  £  ::  T,±,A  ^  C 

2.  T,_L  C 

„  „  r  ,b1db2^+b1  t,b1db2,b2^a 

Case.  V  =  - dL 

r,  B\  D  B2  A 


(Assumption) 
(Rule  (_LL)) 


1.  £  ::  T,B1  D  B2,A^C 

2.  T,B1  D  B2lB2,A-^  C 

3.  T,B1  D  B2.  B2  C 

4.  T,  B\  D  B2  —>  C 


(Assumption) 
(Weakening) 
(i.h.  on  2nd  premise  and  2) 
(Rule  (dL)  on  1st  premise  and  3) 


Cases  of  principal  cuts.  V  ends  in  a  right  rule,  and  £  ends  in  a  left  rule.  Note  that 
there  are  no  principal  cuts  when  £  ends  in  (init)  or  (_LL),  because  there  are  no  right 
rules  for  atomic  formulas  or  A.  Similarly,  there  is  no  case  for  principal  cut  if  T>  ends  in 
(TR)  because  T  has  no  left  rule.  The  case  of  principal  cut  when  £  ends  in  rule  (claims) 
is  covered  in  clause  (2)  of  the  theorem. 


Case. 


IV  — *  a 

V  =  - saysR 

T  K'  says  A 

1.  T,  K'  claims  A  C 

K 

2.  r  4A  c 


T,  K'  says  A,  K'  claims  A  —>  C 
£  =  - - ; - saysL 

T,  K'  says  A  C 


(i.h.  on  V  and  premise  of  £) 
(i.h. (2)  on  premise  of  V  and  1) 


Case. 


V  = 


r  a 


K 


B 

— AR 


T,A  A  B,A,B  4A 
T,A  A  B  C 


C 

—  AL 


i.  r ,a,b^>  c 


(i.h.  on  T>  and  premise  of  £) 
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(i.h.  on  1st  premise  of  V  and  1) 
(i.h.  on  2nd  premise  of  V  and  2) 


2.  T,B  ^  C 

K 

3.  r  c 


Case. 


V  = 


r  ^  a 
r  ^  Ay  b 


V  Ri 


£ 


T,A\J  B,  A 


K 


r.dvsAc 


c 

—  V  L 


1.  t,a  c 

2.  r  c 

Case. 


(i.h.  on  T>  and  1st  premise  of  £) 
(i.h.  on  premise  of  V  and  1) 


r b  r,dv  b,a^  c  t,av  b,b  c 

V  =  — - V  R2  £  =  - - - - ^ - - - V  L 

r,iv8-^c 


1.  T,B  C 

K 

2.  r  c 


Case. 


V  = 


T,A  ^  B 
T  —>  A  D  B 


dR 


1.  t,b  c 

2.  T,A  ^  C 

3.  T  ^  A 

4.  r  c 


(i.h.  on  T>  and  2nd  premise  of  £) 
(i.h.  on  premise  of  V  and  1) 

T,AdB^A  T,Ad  B,B  ^  C 

~ - V - 1 - DL 

T,Ad  B  -^C 

(i.h.  on  T>  and  2nd  premise  of  £) 
(i.h.  on  premise  of  T>  and  1) 
(i.h.  on  V  and  1st  premise  of  £) 
(i.h.  on  3  and  2) 


Proof  of  (2). 

We  analyze  cases  on  the  last  rule  of  £. 
P  atomic 


Case.  £  = 


K 


-in  it 


r,AT  claims  A,P  P 


1.  T ,P  ^  P 


(Rule  (init)) 
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T,  K  claims  A,A-^C  K  y  K' 


Case.  £  = 


1.  V  ::  r| 


K 


K 


T,  K  claims  A 


A 


A" 


c 


claims  (Principal  cut) 


2.  T,A 


K 


C 


3.  r  a 


4.  r  a 


K' 

5.  r  c 


Case.  £  = 
cut) 


(Assumption) 
(i.h.  on  T>  and  1st  premise  of  £) 
(Weakening  on  1) 
(Subsumption  (Theorem  B.l)  on  3  using  K  A  K') 

(i.h.(l)  on  4  and  2) 

r,  K  claims  A,  K"  claims  B,  B  C  K"  A  K' 


T,  K  claims  A,  K"  claims  B 


K' 


C 


-claims  (Non-Principal 


1.  T,  K"  claims  B ,  B 


K' 


c 


2.  T,  K"  claims  B 


K' 


c 


(i.h.  on  V  and  1st  premise  of  £) 
(Rule  (claims)  on  1  and  K"  A  K') 


Case.  £  = 


\K" 


K  claims  A 


K" 


c 


T,  K  claims  A  K"  says  C 


saysR  (K  y  K") 


1.  V  ::  ^  A 

2.  V\k"\k  =  r| k 

3.  T>  ::  P |  k"  \  k  — -> 

K 


A 


4.  r 


K" 


K' 


c 


5.  T  ^  K"  says  C 
Case.  £  = - 


(Assumption) 
(Assumption  K  y  I\") 

(From  1  and  2) 
(i.h.  on  3  and  premise  of  £) 
(Rule  (saysR)  on  4) 


Kn 

r  k"  ^  ci 


r,  K  claims  A  -—>■  K"  says  C 


saysR  (K  £  K") 


1.  T  K"  says  C 


(Rule  (saysR)  on  premise  of  £) 


Case.  £  = 


T,  K  claims  A,  K"  says  B,  K"  claims  B 


K' 


C 


1.  V  ::  r| 


K 


K 


T,  K  claims  A,  K"  says  B 


A 


K' 


c 


-saysL 


(Assumption) 
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AT 


2.  (r,  K"  says  B,  K"  claims  B)\k  — >  A 

A" 


3.  T,  K  says  B,  K  claims  B 

A" 


c 


4.  r,  1C' says  B 


C 


(Possibly  Weakening  1) 
(i.h.  on  2  and  premise  of  £) 
(Rule  (saysL)) 


T,  I\  claims  A  C\  F,  K  claims  A  C2 
Case.  £  =  — - - . - -AR 


k’ 


T,  K  claims  A  — >  Ci  A  C2 


K' 

1.  r  Ci 


K' 

2.  r  c2 


3.  r 


K' 


Case.  £  = 


Ci  A  C2 


T,  K  claims  A,  B\  A  R2,  B±,  R2 
T,  K  claims  A,  B\  A  R2  —> 


K' 


(i.h.  on  T>  and  1st  premise  of  £) 
(i.h.  on  V  and  2nd  premise  of  £) 
(Rule  (AR)) 


a" 


C 


C 


-AL 


1.  t,b1ab2,b1,b2-^c 


2.  r,  B\  A  B2 


A" 


c 


(i.h.  on  V  and  premise  of  £) 
(Rule  (AL)) 


K' 


T,  K  claims  A  — >  Ci 

Case.  £  =  - - tt: - V  Ri 


A" 


T,  K  claims  A  — >  Ci  V  C2 


K' 

1.  r  Ci 


2.  r 


K' 


Cl  vc2 


(i.h.  on  V  and  premise  of  £) 
(Rule  (V  Ri)) 


A'' 


T,  K  claims  A  — >  C2 

Case.  £  =  - - = — V  R2 


A" 


T,  K  claims  A  — >  Ci  V  C2 


K' 

1.  r  c2 


2.  r 


K 


Case.  £  = 


1.  r,Bi  V  B2,  B\ 


Ci  vc2 


T,  K  claims  A,  B\  V  R2,  B\ 


(i.h.  on  V  and  premise  of  £) 
(Rule  (V  R2)) 


a" 


C 


T,  K  claims  A,  B\  V  L>2,  R2 


K' 


C 


-V  L 


A" 


K 


c 


2.  r,5i  VB2,82L,C 


T,  W  claims  A,  B\  V  R2  C 

(i.h.  on  P  and  1st  premise  of  £) 
(i.h.  on  P  and  2nd  premise  of  £) 
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(Rule  (VL)) 


3.  T,B1  V  B2  C 
Case.  £  = - 


K' 


-TR 


T,  K  claims  A  — >  T 


Case.  £  = 


A" 


-_LL 


T,  K  claims  A,  X  — >  C 


K' 

1.  r,x  c 


T,  K  claims  A,  C±  —>  Co 
Case.  £  =  — - - — DR 

T,  K  claims  A  C\  D  C2 


(Rule  (TR)) 


(Rule  (XL)) 


1.  r,Ci  ^  C2 


(i.h.  on  T>  and  premise  of  £) 


2.  r 


A" 


Case.  £  = 


Ci  D  C2  (Rule  (DR)) 

T,  K  claims  A,  B\  D  B2  B\  T,  K  claims  A,  B\  D  B2,  B2  C 

- / - TL 

T,  K  claims  A,  B1  D  B2  ^  C 


1.  r,R! 

2.  r,R!  D  B2,B2  ^  C 

3. 


(i.h.  on  D  and  1st  premise  of  £) 
(i.h.  on  T>  and  2nd  premise  of  £ ) 
(Rule  (dL)) 

n 


K 

Theorem  B.3  (Identity;  Theorem  3.8).  For  each  formula  A,  T,  A  — >  A. 
Proof.  By  induction  on  A. 


Case.  A  =  P  (A  is  atomic) 

1.  r,p^p 

Case.  A  =  A\  /\  A2 

1.  T,  A\  A  A2,  Ai,  A2  A] 

2.  T,  Ai  A  A2,Ai,A2  a2 

3.  r,  A\  A  Ao,  Ai,  Ao  — »  A\  A  A2 

4.  r,  A\  A  A2  — >  A\  A  A2 


(Rule  (init)) 


(i.h.) 

(i.h.) 

(Rule  (AR)  1,  2) 


(Rule  (AL)  3) 
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Case.  A  =  A±  V  Ai 


1.  r,  A\  V  Ao ,  A\  — ►  A\ 

2.  r,  A\  V  Ao,  Ai  Ai  V  ^2 

3.  r,  Ai  V  A2 ,  A2  — >  A2 

4.  r,  Ai  v  a  2 ,  A2  — >  A]  v  A2 

5.  r,  Ai  V  A2  Ai  V  A2 
Case.  A  =  T 

1.  r,T  ^  t 

Case.  A  =  _L 

1.  r,_L  -£>  ± 

Case.  4  =  4i  D  42 

1.  r,  A\  d  A2,  A\  — >  Ai 

2.  r,  Ai  d  ^2,  Ai,  ^2  — *  A2 

3.  r,  Ai  d  A2,  A\  ^2 

4.  r,  Ai  D  A2  Ai  D  a2 
Case.  A  =  K'  says  B 

1.  r|x',  K'  claims  B,  B  R 

2.  r|A'/,/C  claims  B  —*  B 

3.  T,  J\'  says  R,  K'  claims  B  K'  says  B 

4.  r,  K'  says  5  K'  says  B 


(i.h.) 

(Rule  (V  Ri)  1) 

(Rule  (V  R2)  3) 
(Rule  (VL)  2,  4) 

(Rule  (TR)) 

(Rule  (_LL)) 


(i.h.) 
(i.h.) 
(Rule  (DL)) 
(Rule  (DR)) 


(i.h.) 

(Rule  (claims)) 
(Rule  (saysR)) 
(Rule  (saysL)) 

□ 


C  Proof  of  Equivalence  from  Section  3.6 

The  objective  of  this  section  is  to  prove  Theorem  3.9,  showing  that  the  axiomatic,  natural 
deduction,  and  sequent  calculus  proof  systems  are  equivalent.  Although  it  is  possible 
to  show  that  natural  deduction  and  sequent  calculus  are  equivalent  without  reference 
to  the  axiomatic  system,  we  do  not  do  this  here,  and  prove  the  equivalence  of  the  three 
systems  simultaneously.  First,  we  expand  the  theory  of  the  axiomatic  system. 
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C.l  The  Axiomatic  System  for  DTL0 


In  Section  2,  we  presented  some  rules  and  axioms  for  the  axiomatic  system.  Here,  we 
list  all  the  rules  and  axioms,  including  those  listed  earlier. 


\-H  A 


b h  K  says  A 


-nec 


b  h  A  D  B  b  h  A 
h hB 


mp 


A  is  an  axiom 
b  H  A 


-ax 


Axioms: 


(K  says  {A  D  B))  D  ((K  says  A)  D  ( K  says  B ))  (K) 

(K  says  A)  D  K  says  K  says  A  (4) 

K  says  (( K  says  A)  D  A)  (C) 

( K\  says  A)  D  ( K-2  says  A)  if  K\  A  K2  (S) 

A  D  (B  D  A)  (impl) 

(AdB)d  {{A  D  (B  D  C))  D  (A  D  C ))  (imp2) 

4  D  (8  D  (4  A  B))  (conjl) 

(A  A  B)  D  A  (conj2) 

(A  A  B)  D  B  (conj3) 

Ad  (A\/  B)  (disjl) 

B  D  (AW  B)  (disj2) 

(ADC)D  ((B  DC)D  ((A  V  B)  D  C))  (disj3) 

T  (true) 

1  D  A  (false) 


Next,  we  introduce  a  generalized  axiomatic  system,  to  reason  from  hypothesis.  Let  T 
denote  a  multi  set  of  formulas  (not  judgments).  We  write  T  b^  A  to  mean  that  A  may 
be  established  from  assumptions  T.  The  rules  of  the  generalized  axiomatic  system  are: 


•  be  A 

- use  - nec 

r,4bG4  r  \~g  K  says  A 


r  be  Ad  b 
r  b6.  b 


rbG  a 

- mp 


A  is  an  axiom 


Now  we  prove  some  basic  properties  of  the  generalized  axiomatic  system,  including 
the  deduction  theorem,  and  show  that  the  generalized  system  reduces  to  the  axiomatic 
system  when  T  is  empty. 

Lemma  C.l  (Basic  properties).  The  following  hold. 

1.  (Weakening)  T  bG  A  implies  r,r'  bG  A 

2.  (Substitution)  T  bG  A  and  T,  A  b q  B  imply  T  bG  B 

Proof.  (1)  follows  by  an  easy  induction  on  the  derivation  of  T  bG  A  (details  omitted 
here).  (2)  follows  by  induction  on  the  derivation  of  T,  A  bG  B.  We  analyze  the  last  rule 
in  the  derivation. 


Case.  - use  (Principal  case) 

r,4bG4 
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l.ThGA 


(First  given  derivation) 


Case. 


t,a,b\-gb 


use 


(Non-principal  case) 


1.  t,b\-gb 


Case. 


•  \~G  B 

- nec 

T,  A  \~g  K  says  B 


1.  -^gB 

2.  T  he  K  says  B 


Case. 


r,  A  hG  Bi  D  B2  T,A\-gBi 
T,AhG  B2 


nip 


1.  T  hG  B  i  D  B-2 

2.  r  hG  b1 

3.  T  hG  B2 


B  is  an  axiom 
Case.  - 


r,AhGB 

i.rh  gb 


ax 


(Rule  (use)) 


(Premise) 
(Rule  (nec)) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (nip)) 


(Rule  (ax)) 


□ 

Theorem  C.2  (Deduction).  The  following  hold. 

1.  T  \~G  A  D  B  implies  T,  A  \~G  B 

2.  r,  A  \~G  B  implies  T  \~G  A  D  B 

Proof.  We  prove  (1)  first.  Assume  T  hG  A  D  B.  Then  we  have 

1.  r,  A  \~G  A  D  B  (Weakening) 

2.  T,A\~gA  (Rule  (use)) 

3.  T,A\~g  B  (Rule  (nip)) 

Next  we  prove  (2).  We  induct  on  the  derivation  of  T,A  hG  B,  case  analyzing  the 
last  rule. 


Case.  - use  (Principal  case) 

r,AhGA 

Here  A  =  B,  and  we  must  show  that  T  hG  ini. 

1.  T  hG  {A  D  (B  D  A))  D  ((A  D  ((B  D  A)  D  A))  D  (A  D  A))  (Rule  (ax)  and  imp2) 
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2.  ThG  Ad  (B  D  A) 

3.  rhG  (Ad  (( B  d  A)  d  A))  d  (Ad  A) 

4.  T\~g  Ad  (( B  D  A)  D  A) 

5.  r  \-q  A  D  A 

Case.  - use  (Non-principal  case) 

T,A,BhGB  V 

1.  r,  b  \~g  b  d  (Ad  b) 

2.  r,BhGB 

3.  r,  B  b g  A  D  B 


Case. 


•  \~g  B 

- nec 

T,  A  he  K  says  B 


1.  rhG  K  says  B 

2.  T  he  (K  says  B)  D  (A  D  K  says  B ) 

3.  r  he  A  D  K  says  B 


Case. 


T,A\~gBiDB2  T,A\~gBi 
T,AhG  B2 


rnp 


1.  r  bG  A  D  (B1  D  B2) 

2.  r  bG  A  D  Bi 

3.  rhG(AD  Bx)  D  ((A  D  (B1  D  B2))  D  (A  D  B2)) 

4.  T  hG  (A  D  ( B !  D  B2))  D  (Ad  b2) 

5.  r  b  g  ^4  D  B  2 


Case. 


B  is  an  axiom 


T,AhGB 


ax 


1.  r  bG  B  D  (A  D  B) 

2.  rhGB 

3.  r  be  A  D  B 


(Rule  (ax)  and  irnpl) 
(Rule  (nip)) 
(Rule  (ax)  and  irnpl) 
(Rule  (mp)  on  3  and  4) 


(Rule  (ax)  and  irnpl) 
(Rule  (use)) 
(Rule  (nip)) 


(Rule  (nec)  on  premise) 
(Rule  (ax)  and  irnpl) 
(Rule  mp) 


(i.h.  on  premise  1) 
(i.h.  on  premise  2) 
(Rule  (ax)  and  inrp2) 
(Rule  (nrp)  on  3  and  2) 
(Rule  (nrp)  on  4  and  1) 


(Rule  (ax)  and  irnpl) 
(Rule  (ax)) 
(Rule  (nrp)) 


□ 

Theorem  C.3  (G  iff  H).  b h  A  if  and  only  if  ■  b^  A 

Proof.  In  each  direction  by  straightforward  induction  on  the  given  derivation.  □ 
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Lemma  C.4  (Currying).  T  be  {A  A  B)  D  C  if  and  only  i/rhc^  D  (5  D  C). 
Proof.  (“If”  direction) 


1.  TAG  Ad  {B  D  C) 

2.  r,i,BhG  c 

3.  r,  A  A  B  bG  (A  A  B)  D  A 

4.  r,  A  A  BhG  (A  A  B) 

5.  T,AaBAgA 

6.  r,A  A  B  \~c  (A  A  B)  D  B 

7.  r,AABhGB 

8.  r,AAB,BhGC 

9.  T,  A  A  B  AG  C 

10.  T  \~c  (A  A  B)  D  C 
( “Only  if”  direction) 

1.  T  \~c  (A  A  B)  D  C 

2.  r,AABhGC 

3.  r,  A,  B  he  A  D  (B  D  (A  A  B)) 

4.  r,4,BhGd 

5.  r,l,BhGB3(^AB) 

6.  r,  A,  B  bG  B 

7.  r,i,BhG  ( AAB ) 

8.  r,i,BhG  C 

9.  r,ihG  B  D  C 
10.  The  ad  {B  D  C) 


(Assumption) 
(Theorem  C.2  twice) 
(Rule  (ax)  and  conjl) 
(Rule  (use)) 
(Rule  (nip)  on  3  and  4) 
(Rule  (ax)  and  conj2) 
(Rule  (nip)  on  6  and  4) 
(Substitution  Lemma  C.l  on  5  and  2) 
(Substitution  Lemma  C.l  on  7  and  8) 

(Theorem  C.2) 

(Assumption) 
(Theorem  C.2) 
(Rule  (ax)  and  conj3) 
(Rule  (use)) 
(Rule  (mp)  on  3  and  4) 
(Rule  (use)) 
(Rule  (mp)  on  5  and  6) 
(Substitution  Lemma  C.l  on  7  and  2) 

(Theorem  C.2) 
(Theorem  C.2) 
□ 


Lemma  C.5.  K'  ^  K  and  ■  Aq  K'  says  A  imply  ■  \~G  K  says  K'  says  A 
Proof. 

1.  •  Ag  ( K '  says  A)  D  K'  says  K'  says  A  (Rule  (ax)  and  Axiom  4) 

2.  K'  says  A  Aq  K'  says  K'  says  A  (Theorem  C.2) 

3.  K'  says  A  Aq  (K1  says  K'  says  A)  D  ( K  says  K'  says  A)  (Rule  (ax)  and  S) 

4.  K'  says  A  Aq  K  says  K'  says  A  (Rule  (mp)  on  3  and  2) 

5.  •  be  ( K '  says  A)  D  K  says  K'  says  A  (Theorem  C.2) 

n 
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C.2  Proof  of  Equivalence 

Let  r  denote  the  reification  of  the  T  as  a  formula: 


■  =  T 

T,  A  true  =  r  A  A 
T,  K  claims  A  =  T  A  ( K  says  A) 

Lemma  C.6  (Natural  Deduction  Axiomatic).  T  \~K  A  implies  ■  hG  A'  says  (r  D  A) 

Proof.  We  induct  on  the  derivation  of  T  \~K  A,  analyzing  cases  on  the  last  rule.  Some 
of  the  cases  related  to  says  and  claims  are  shown  below.  Others  are  straightforward. 
To  keep  proofs  short,  we  freely  use  properties  such  as  Currying  (Lemma  C.4)  and 
(A  says  (A  A  B ))  =  (( K  says  A)  A  ( K  says  B)),  without  explicit  mention. 


Case. 


r,AhK  a 


r  hyp 


1.  r  hG  A  D  A 

2.  •  hG  r  d  {A  d  A) 

3.  •  he  (r  A  A)  D  A 

4.  •  hG  A  says  ((F  A  A)  D  A) 
K'  A  K 


(See  proof  of  Theorem  C.2. 2;  case  (use)) 

(Theorem  C.2) 
(Lemma  C.4) 
(Rule  (nec)) 


Case. 


-claims 


(Rule  (ax)  and  C) 
(Theorem  in  G ) 
(Rule  (nec)  on  2) 


T,  K'  claims  A  \~K  A 

1.  •  h g  K'  says  (( K '  says  A)  D  A) 

2.  •  hG  ((A'  says  A)  D  A)  D  ((F  A  [K'  says  A))  D  A) 

3.  •  hG  K'  says  (((A"'  says  A)  D  A)  D  ((T  A  (K'  says  A))  D  A)) 

4.  •  hG  ( K '  says  (( K '  says  A)  D  A))  D  K'  says  ((T  A  ( K '  says  A))  D  A) 

(Rule  (ax),  K  and  (mp)  on  3) 

5.  •  hG  K'  says  ((T  A  ( I\ '  says  A))  D  A)  (Rule  (mp)  on  4  and  1) 

6.  •  hG  (AT'  says  ((T  A  (AT'  says  A))  D  A))  D  LT  says  ((T  A  ( K '  says  A))  D  A) 

(Rule  (ax)  and  S;  LO  A  K) 

7.  ■  hG  K  says  ((T  A  ( K'  says  A))  D  A)  (Rule  (mp)  on  6  and  5) 


Case. 


I V  ^K'  A 

r  -K  K'  says  A 


saysl 


Let  T\k,  =  A'i  claims  Ai, . . . ,  Kn  claims  An.  Then  AT.;  A  K'  (1  <  i  <  n ) 

1.  •  hG  K'  says  (((A'i  says  Ai)  A  ...  A  ( Kn  says  An))  D  A)  (i.h.  on  premise) 
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2.  •  1 ~g  (( K 7  says  I\\  says  A\)  A  ...  A  ( K 7  says  Kn  says  hl^))  D  K'  says  A 


3.  K'  says  A'i  says  Ai, . . . ,  K'  says  Kn  says  An  he  A^7  says  A  (Theorem  C.2) 

4.  •  he  ( Ki  says  Ai)  D  K'  says  AT*  says  Aj  (Lemma  C.5) 

5.  Ki  says  A*  he  A"'  says  Ki  says  A*  (Theorem  C.2) 

6.  K\  says  Ai, . . . ,  I\n  says  An  he  K'  says  A  (Substitution  Lemma  C.l  on  5  and  3) 

7.  T  he  K'  says  A  (Weakening  Lemma  C.l) 

8.  •  he  T  D  AT'  says  A  (Theorem  C.2) 

9.  •  he  K  says  (T  D  K'  says  A)  (Rule  (nec)) 

T  hK  K'  says  B  T,  I\'  claims  B  hK  A 

Case.  - y~- - saysE 

rhAd 


1.  •  he  K  says  (T  D  K'  says  B )  (i.h.  on  1st  premise) 

2.  •  he  K  says  (T  D  ((AT'  says  B )  D  hi))  (i.h.  on  2nd  premise) 

3.  •  he  (T  D  K'  says  B)  D  ((T  D  ((A'7  says  R)  D  A))  D  (T  D  A))  (Rule  (ax)  and 
imp2) 

4.  •  hG  K  says  ((T  D  K'  says  R)  D  ((F  D  ((A'7  says  R)  D  A))  D  (T  D  hi)))  (Rule 
(nec)) 

5.  •  he  ( K  says  (T  D  K'  says  R))  D  ((A'  says  (T  D  ((A"7  says  R)  D  hi)))  D  A'  says 

(T  3  4))  (Rule  (ax),  K  and  (mp)) 

6.  •  he  ( K  says  (T  D  ((A'7  says  R)  D  A)))  D  K  says  (T  D  hi)  (Rule  (mp)  on  5  and  1) 

7.  •  he  K  says  (T  D  A)  (Rule  (mp)  on  6  and  2) 

□ 

Lemma  C.7  (Axiomatic  =h  Sequent  Calculus),  h h  41  implies  ■  A  for  each  K. 

Proof.  We  induct  on  the  derivation  of  h h  A,  and  analyze  cases  on  the  last  rule  in  the 
derivation. 


\~H  A 

Case.  - 7 - nec 

h h  A  says  A 

1 .  A 

(i.h.  on  premise  with  AT7) 

2.  •  I\'  says  A 

(Rule  (saysR)) 
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hH  A  D  B  hH  A 

Case.  - nip 

\~hB 


l.  ■  ^  Ad  B 

K 


2.  • 


A 


K 


3.  Ad  B,  A  — >  A 


K 


4.  Ad  B,  A,  B  -A  B 


K 


5.  Ad  B,  A  — >  B 


6.  A  B 


7.  •  -£*•  B 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Theorem  B.3) 
(Theorem  B.3) 
(Rule  (dL)  on  3  and  4) 
(Theorem  B.2  on  1  and  5) 
(Theorem  B.2  on  2  and  6) 


Case. 


A  is  an  axiom 


l~H  H 


ax 


K 

We  case  analyze  all  axioms  A,  in  each  case  showing  that  •  — »  A.  Some  representa¬ 
tive  cases  are  shown  below  (others  are  straightforward,  since  they  use  only  the  laws  of 
propositional  logic) 


Case.  (Axiom  K)  A  =  ( K '  says  (A'  D  B'))  D  (( K 1  says  A’)  D  (K'  says  B ')) 


1.  K'  claims  {A1  D  B'),K ’  claims  A',  A'  D  B',A'  A '  (Theorem  B.3) 

2.  K'  claims  ( A '  D  B'),K'  claims  A',  A'  D  B',A',B'  B'  (Theorem  B.3) 

3.  K'  claims  {A'  D  B'),K'  claims  A',  A'  D  B\A'  B'  (Rule  (dL)) 

4.  K'  claims  {A1  D  B'),Kr  claims  A!  —>■  B'  (Rule  (claims)  twice) 

5.  K’  says  ( A ’  D  B'),K'  says  A',K'  claims  ( A '  D  B'),K'  claims  A'  K'  says 
B' 

(Rule  (saysR)) 

6.  K'  says  ( A '  D  Br).  K'  says  A1  — »  K'  says  B'  (Rule  (saysL)  twice) 

7.  •  ( K '  says  ( A '  D  B'))  D  (( K '  says  A1)  D  (K'  says  B'))  (Rule  (dR)  twice) 


Case.  (Axiom  4)  A  =  ( K '  says  A')  D  K'  says  K'  says  A' 

1.  K'  claims  A',  A'  A ' 

2.  K'  claims  A'  A' 

3.  K'  claims  A!  K'  says  A 

4.  K'  says  A',  K'  claims  A'  K'  says  K'  says  A 

5.  K'  says  A'  I\'  says  K'  says  A 


(Theorem  B.3) 
(Rule  (claims)) 
(Rule  (saysR)) 
(Rule  (saysR)) 
(Rule  (saysL)) 
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6.  •  ■—>  ( K 7  says  A ')  D  K'  says  A7  says  A' 

Case.  (Axiom  C )  A  =  K'  says  ((A7  says  A')  D  A') 

1.  K'  says  A' ,I\'  claims  A' ,A'  A' 

2.  K'  says  A' ,K'  claims  A'  A' 

3.  K'  says  A'  A' 

4.  •  (A7  says  A')  D  A' 

5.  •  A7  says  ((A'  says  A')  D  A') 


(Rule  (DR)) 


(Theorem  B.3) 
(Rule  (claims)) 
(Rule  (saysL)) 
(Rule  (DR)) 
(Rule  (saysR)) 


Case.  (Axiom  S)  A  =  (Ai  says  A')  D  (A2  says  A7)  and  Ai  A  A2 

1.  Ai  claims  A7,  A7  — A7  (Theorem  B.3) 

2.  Ai  claims  A7  A7  (Rule  (claims);  A'i  A  A2) 

3.  Ai  claims  A7,  K\  says  A7  ►  AA  says  A7  (Rule  (saysR);  Ai  A  A2) 

4.  Ai  says  A7  A2  says  A7  (Rule  (saysL)) 

5.  •  — ►  (Ai  says  A7)  D  (A2  says  A7)  (Rule  (dR)) 

□ 

Lemma  C.8  (Sequent  Calculus  Natural  Deduction).  T  A  implies  T  \~K  A. 
Proof.  We  induct  on  the  derivation  of  T  A  and  analyze  the  last  rule  in  the  derivation. 


P  atomic 

Case.  - — - init 

T.P-^P 


1.  r,p  \-K  p 


Case. 


T,  A  claims  A,  A 


K' 


c 


K  P  A7 


T,  A  claims  A 


K' 


-claims 


C 


(Rule  (hyp)) 


1.  T,  K  claims  A,  A  \-K>  C 

2.  T,  A  claims  A  A 

3.  T,  A  claims  A  C 


Case. 


r|y  ^  a 

r  A  says  A 


saysR 


1.  TIr-  bA'  A 


(i.h.  on  premise) 
(Rule  (claims);  A  A  A"7) 
(Substitution  Theorem  3.2  on  2  and  1) 


(i.h.  on  premise) 
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2.  T  hK'  I<  says  A 


(Rule  (saysl)) 


T,  K  says  A,  K  claims  A  C 
Case.  - - - saysL 

T,  K  says  A  C 

1.  T,  K  says  A,  K  claims  A  \~K'  C 

2.  T,  I\  says  A  \-K'  K  says  A 

3.  T,  K  says  A  \~K'  C 

T  A  T  B 
Case.  - — - AR 

T  A  A  B 

1. 

2. 

3.  r  A  A  B 


Case. 


r,iAB,i,B^  c 
- - ^ — al 


1.  t,aa  b,a,b\-k  c 

2.  T,AABhK  A  AB 

3.  T,AAB  hK  A 

4.  T,  A  A  B  hK  B 

5.  T,AAB,BhKC 

6.  T,AABhK  C 

r  A 

Case.  — — - V  Ri 

r^AvB 

1.  r  hK  a 

2.  r  hK  A  V  B 

r  ^  b 

Case.  — — - V  R2 

r  A  V  B 


(i.h.  on  premise) 
(Rule  (hyp)) 
(Rule  (saysE)  on  2  and  1) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 


(i.h.  on  premise) 
(Rule  (hyp)) 
(Rule  (A  Ei)  on  2) 
(Rule  (A  E2)  on  2) 
(Substitution  Theorem  3.2  on  3  and  1) 
(Substitution  Theorem  3.2  on  5  and  4) 


(i.h.  on  premise) 
(Rule  V  Ii) 


1.  T  hK  B 

2.  r  \-K  Ay  b 
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(i.h.  on  premise) 
(Rule  V  I2) 


T,AW  B,A^  C  r,AvB,B-^+C 

Case.  — - - - -( - - - VL 

T,AW  B 

1.  T,AW  B,A\~k  C 

2.  r,AV  B,B  \~K  C 

3.  T,AvBhKAvB 

4.  T,  A  V  B  hK  C 

Case.  — — - TR 

r^T 

l.  r  \-K  t 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (hyp)) 
(Rule  (VE)  on  3,  1  and  2) 


(Rule  (TI)) 


Case. 


K 

T,±^C 


-_LL 


1.  r,_L  hK  ± 

2.  r,±  hK  c 


T,A  ^  B 

Case.  — — - DR 


1.  T,AhK  B 

2.  T  h K  Ad  B 


Case. 


r,iD  b 


K 


A 


T,Ad  B,B 


K 


c 


T,A  D  B 


I< 


OL 


C 


(Rule  (hyp)) 
(Rule  (RE)) 


(i.h.  on  premise) 
(Rule  (Dl)) 


1.  T,AdB  \~k  A 

2.  T ,AD  B,BhK  C 

3.  T,  A  D  B  hK  A  D  B 

4.  T,AdB  \~k  B 

5.  T,AD  BhK  C 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (hyp)) 
(Rule  (dE)  on  3  and  1) 
(Substitution  Theorem  3.2  on  4  and  2) 


□ 

Lemma  C.9  (Equivalence).  The  following  are  equivalent  for  any  T,  K ,  and  A. 

1.  r  a  in  the  natural  deduction  system. 

K 

2.  T  — »  A  in  the  sequent  calculus. 
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3.  \~h  K  says  (r  D  A)  in  the  axiomatic  system. 

Proof.  We  show  that  (2)  =>  (1)  =>  (3)  =>  (2). 

Proof  of  (2)  =>  (!)•  Follows  immediately  from  Lemma  C.8. 

Proof  of  (1)  =>  (3).  Suppose  T  hA  A.  By  Lemma  C.6,  •  he  K  says  (r  D  A).  By 
Theorem  C.3,  \~h  K  says  (r  3  d). 

Proof  of  (3)  =>  (2).  Suppose  h h  K  says  (L  D  A).  By  Lemma  C.7,  •  K  says  (T  D 
A).  Now  observe  that  K  says  (T  D  A),T  — >  A.  Hence,  by  cut  (Theorem  B.2)  we  get 

r  ^  a. 

□ 

Corollary  C.10  (Equivalence;  Theorem  3.9).  The  following  are  equivalent  for  any  K, 
and  A. 

1.  •  \-K  A  in  the  natural  deduction  system. 

2.  ■  —>  A  in  the  sequent  calculus. 

3.  \~h  K  says  A  in  the  axiomatic  system. 

Proof.  Choose  T  =  •  in  Lemma  C.9.  We  get  •  \~K  A  iff  •  —>  A  iff  \~h  K  says  (T  D  A).  It 
only  remains  to  show  that  \~h  K  says  A  if  and  only  if  h h  K  says  (T  Di). 


(“If” 


1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 
9. 

10. 

11. 


direction) 

h h  K  says  (T  D  A) 

T  D  ((T  D  A)  D  T) 

\~H  T 

hH  (T  D  A)  D  T 

(T  D  A)  D  (T  D  A) 

\~H  ((T  D  A)  D  T)  D  (((T  D  A)  D  ( Td 
imp2) 

\~H  ((T  D  A)  D  (T  D  H))  D  ((T  D  A)  D 
hH  ((T  D  A)  D  A) 
h h  K  says  ((T  D  A)  D  A) 
h h  {K  says  (T  Di))  D  K  says  A 
L h  K  says  A 


(Assumption) 
(Rule  (ax)  and  impl) 
(Rule  (ax)  and  true) 
(Rule  (mp)  on  2  and  3) 
(see  proof  of  Theorem  C.2.2;  case  (use)) 
A))  D  ((T  D  A)  D  A))  (Rule  (ax)  and 

A)  (Rule  (mp)  on  6  and  4) 

(Rule  (mp)  on  7  and  5) 
(Rule  (nec)) 
(Rule  (ax),  K  and  (mp)  on  9) 
(Rule  (mp)  on  10  and  1) 


(“Only  if”  direction) 
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h h  K  says  A 

(Assumption) 

hH  A  d  (T  D  A) 

(Rule  (ax)  and  impl) 

F h  K  says  (A  D  (T  D  A)) 

(Rule  (nec)) 

\~h  ( K  says  A)  D  K  says  (T  D  A) 

(Rule  (ax),  K  and  (nip)  on  3) 

b h  K  says  (T  D  A) 

(Rule  (mp)  on  4  and  1) 

□ 


D  Proofs  from  Section  4 
D.l  Soundness 

K 

We  show  here  that  the  Kripke  semantics  for  DTLo  are  sound,  i.e,  if  F  — >  A,  then 
M  \=K  (r  D  A)  in  each  model  M,  where  F  is  the  context  F  reified  as  a  formula,  as 
defined  in  Appendix  C.2.  First,  we  prove  a  few  preliminary  lemmas.  As  a  convention, 
we  write  wK  to  denote  a  world  w  that  is  visible  to  K. 

Lemma  D.l  (Monotonicity).  If  w  \=  A  and  w'  >  w,  then  w'  \=  A. 

Proof.  We  induct  on  A. 

Case.  A  =  P  {A  is  atomic) 

Suppose  w  \=  P,  and  w'  >  w.  We  want  to  show  that  w'  |=  P.  By  assumption 
w  [=  P,  which  implies  that  P  G  p(w).  Hence  P  G  p{w ')  (condition  Rho-her).  Thus 
w'  \=  P. 

Case.  A  =  T  is  trivial 
Case.  A  =  T 

Suppose  w  \=  _L  and  w'  >  w. 

To  show:  w'  |=  A. 

By  assumption  w  G  F.  Hence  by  (F-her),  w'  G  F.  Thus  w'  |=  T. 

Case.  A=  A\  f\  A2 

Suppose  w  \=  A\  A  A2  and  w'  >  w. 

To  show:  w'  \=  A\  A  A^. 

By  assumption,  w  \=  A\  and  w  (=  A2.  By  i.h. ,  w'  |=  A\  and  w'  \=  A^.  Thus  by 
definition  w'  j=  A\  A  A2,  as  required. 

Case.  A=  A\\J  A2 

Suppose  w  \=  A\  V  A2  and  w1  >  iu. 

To  show:  w’  \=  A\  V  A2. 

By  assumption,  w  \=  A\  or  w  \=  A2.  Let  us  take  the  case  w  \=  A\  (the  other  case 
is  symmetric).  By  i.h.,  w'  \=  A\ .  Thus  by  definition  w'  \=  Ai  V  A2,  as  required. 
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Case.  A  =  Ai  D  A2 

Suppose  w  |=  Ai  D  A 2  and  w'  >  w. 

To  show:  w'  \=  A\  D  A2. 

Suppose  w"  >  w' . 

To  show:  w"  |=  A\  implies  w"  |=  A2. 

By  transitivity  of  >,  w"  >  w.  By  definition  of  w  |=  A\  D  A2,  w"  |=  A\  implies 
w"  |=  A2  as  required. 

Case.  A  =  K  says  B 

Suppose  w  \=  K  says  B  and  w'  >  w. 

To  show:  w'  ^  K  says  B. 

By  assumption  w  |=  K  says  B ,  either  w  E  F  or  w  <  w'"  w"  implies  w"  |=  A. 
If  w  €  F,  by  (F-her),  w'  E  F.  Hence  tc'  |=  K  says  B.  Otherwise,  pick  any  104 
and  W5  such  that  w'  <  wa  Qk  Clearly,  by  transitivity  of  <,  we  also  have 
w  <  wa^k  Wb-  Thus  by  the  assumption  w$  |=  A  as  required. 


□ 


Lemma  D.2  (Falsehood).  If  w  \=  _L;  then  for  any  proposition  A,  w  \=  A. 

Proof.  By  induction  on  A. 

Case.  A  =  P  [A  is  atomic) 

Suppose  w  \=  _L 
To  show:  w  \=  P. 

By  assumption,  w  E  F.  By  (F-univ),  P  E  p(w).  Thus  w  |=  P. 

Case.  A  =  T  is  trivial. 

Case.  A  =  _L  is  trivial. 

Case.  A  =  Ai  A  A2. 

Suppose  w  \=  _L.  By  i.h.  w  \=  A\  and  w  \=  A2.  Hence  by  definition  of  satisfaction, 
w  |=  A\  A  A2. 

Case.  A  =  A\  V  A2. 

Suppose  w  |=  _L.  By  i.h.  w  |=  A\.  Hence  by  definition  of  satisfaction,  w  |=  A\  V 
A2. 

Case.  A  =  A\  D  A2. 

Suppose  w  \=  _L.  Choose  any  w'  >  w.  We  want  to  show  that  w'  \=  A  implies 
w'  \=  B.  By  Lemma  D.l,  w'  \=  _L.  Hence  w'  \=  B  by  i.h.,  and  in  particular, 
w'  |=  A  implies  w'  |=  B. 

Case.  A  =  K  says  B. 

Suppose  w  \=  _L.  Thus  by  definition,  w  E  F.  Hence  by  definition,  w  (=  K  says  B. 

n 

Theorem  D.3  (Soundness).  If  F  A,  then  for  each  Kripke  model  M,  M  \=K  fDi. 
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K 

Proof.  We  induct  on  the  derivation  of  T  — >  A. 

P  atomic 

Case.  - — - init 

T,P  P 

Pick  any  w  such  that  K  G  9{w).  We  want  to  show  that  w  \=  (r  A  P)  D  P.  So 
pick  any  w'  >  w.  It  suffices  to  show  that  w'  \=  T  A  P  implies  w'  |=  P.  But  if  we 
assume  that  w'  |=  T  A  P,  then  w'  \=  P  follows  by  definition  of  satisfaction. 

T,  K  claims  A,  A  C  K  A  K' 

Case.  - - - claims 

T,  K  claims  A  —>  C 


Pick  any  w  (. K '  G  6{w)) 

To  show:  w  \=  (T  A  K  says  4)dC 

1.  Assume  any  w1  >  w 

Suffices  to  show:  w'  \=T  A  K  says  A  implies  w'  \=  C 

2.  Assume:  w'  \=  T  and  w'  \=  K  says  A 

3.  Suffices  to  show:  w'  \=  C 

4.  From  i.h.:  w'  \=  (r  A  ( K  says  A)  A  A)  D  C.  (We  can  apply  i.h.  since 
I\'  G  6{w)  and  w  <w'  imply  K'  G  0{w')) 

5.  By  definition  on  (4):  w'  \=  T  and  w'  \=  K  says  A  and  w'  \=  A  implies  w'  \=  C 

6.  From  (2),  w'  |=  K  says  A.  Also,  K'  G  9{w').  Hence,  by  (View-close), 
I\  G  6{w').  By  (Imp-refl)  and  (Mod-refl),  w'  <  w'  w' .  By  definition 
of  satisfaction,  either  w'  G  F.  or  w'  |=  A.  In  the  former  case,  w'  |=  A  by 
Lemma  D.2.  Thus  w'  \=  A. 

7.  From  (2),  (6)  and  (5)  ,  w'  |=  C  as  required  in  (3). 


Case. 


r \k^a 


K' 


K  says  A 


-saysR 


Pick  any  w  such  that  K'  G  0{w). 

To  show:  w  \=  T  D  K  says  A. 

1.  Assume  any  w'  >w 

Suffices  to  show:  w'  \=  T  implies  w'  \=  K  says  A 

2.  Assume  w'  |=  T. 

3.  Suffices  to  show:  w'  \=  I\  says  A 

4.  Assume  w'  0  F,  and  pick  any  w",w"'  such  that  w'  <  w"  C k  w'" 
(Note:  K  G  0(w'")). 

5.  Suffices  to  show:  w'"  \=  A 

6.  Let  T\K  =  K\  claims  B\, . . . ,  Kn  claims  Bn. 

(Note:  Ki  A  K  for  each  i) 

7.  By  i.h.,  w'"  \=  (K\  says  B\  A  ...  A  Kn  says  Bn)  D  A 
(we  can  apply  i.h.  because  K  G  9(w"')) 
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8.  By  definition  on  (7),  w"'  |=  Kt  says  Bi  for  all  i  implies  w'"  j=  A 

9.  From  (5)  and  (7),  suffices  to  show  that  w"'  |=  iQ  says  Bi  for  each  i. 

10.  Choose  any  w'"  <  W4  w 5.  Suffices  to  show:  W5  \=  Bi.  (Note:  K  E  0(w±) 

by  (View-closure)) 

11.  From  (4)  and  (10),  we  have  w"  C/f  w'"  <  W4.  By  (Commutativity),  w"  C/f 
W4.  By  (Mod-closure),  w"  \ZK.  W4. 

12.  We  now  obtain  w'  <  w"  W4  w 5. 

13.  From  (12),  and  (Mod-trans),  w'  <  w"  w$. 

14.  Since  w'  |=  K  says  Bi  (assumption  2),  and  w'  0  F  (assumption  4),  by 

definition  of  satisfaction,  w$  |=  Bi ,  as  required  in  (10). 


T,  I\  says  A,  K  claims  A  —>  C 
Case.  - - - saysL 

T,  K  says  A  C 

We  want  to  show  that  if  wK' ,  then  w  |=  (r  A  K  says  A)  D  C.  Equivalently, 
for  any  w'  >  w,  w'  |=  T  A  K  says  A  implies  w'  |=  A.  By  i.h. ,  w'  |=  T  A 
K  says  A  A  K  says  A  implies  w'  |=  A.  However,  w'  |=  Y  A  it'  says  A  and 
w'  |=  T  A  K  says  A  A  K  says  H  are  equivalent  by  definition. 

r  b 

Case.  - — - AR 

T  -A  A  A  B 

Suppose  wK  is  a  world.  We  want  to  show  that  w  |=  T  D  [A  A  B).  Pick  any  w'  >w 
and  assume  that  w'  \=  T.  It  suffices  to  show  that  w'  |=  A  A  B,  or  equivalently 
that  w'  |=  A  and  that  w'  j=  B.  This  follows  immediately  by  i.h.  (since  K  E  0(w')) 


K 


Case. 


r,  A  A  B,  A,  B  4V  c 


K 


AL 


r,4ABAC 

Suppose  wK  is  a  world.  Pick  any  w'  >  w.  It  suffices  to  show  that  w'  |=  T  A  A  A  B 
implies  that  w'  |=  C.  This  follows  immediately  by  the  i.h.  (since  K  £  9(w')). 


T  ^  A 

Case.  — — - V  Ri 

r^AvB 

Suppose  wK  is  a  world.  Pick  any  w'  >  w.  It  suffices  to  show  that  w'  j=  T  implies 
that  w'  |  =  A  V  B.  Assume  w'  |=  T.  By  i.h.,  w'  |=  T  implies  w'  j=  A.  Hence 
w'  |=  A.  By  definition  of  satisfaction,  w'  |=  A  V  B  as  required. 


Case. 


r  ^  b 
r  ^  Ay  b 


v  r2 


Similar  to  the  previous  case. 


Case.  — - - - y - - - VL 

r,dvB-^c 

Suppose  wK  is  a  world.  Pick  any  w'  >  w.  We  want  to  show  that  w'  |=  T  A  {A  V  B) 
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implies  w'  |=  C.  Suppose  that  w'  |=  Y  A  {A  V  B).  By  definition,  w'  |=  Y  and 
either  w'  |=  A  or  w'  |=  B.  Suppose  that  w'  |=  A  (the  other  case  is  similar).  By 
i.h.  on  first  premise,  w'  \=  Y  and  w'  \=  A  imply  w'  \=  C.  It  follows  immediately 
that  w'  |=  C  as  required. 


Case.  — — - TR 

r^T 

Pick  any  wK .  We  want  to  show  for  any  w'  >  w  that  w'  |=  Y  implies  w'  |=  T. 
However,  w'  \=  T  is  always  true  by  definition. 


Case.  - _LL 

r,±  c 

Pick  any  wK .  We  want  to  show  for  any  w'  >  w  that  w'  |=  Y  A  _L  implies  w'  |=  C. 
Assume  that  w'  \=  Y  A  _L.  In  particular,  w'  (=  _L.  By  Lemma  D.2,  w'  |=  C,  as 
required. 


r  ,a 


K 


B 


OR 


Case. 

Y-^ADB 

Pick  any  wK  ,  and  any  w'  >  w.  It  suffices  to  show  that  w'  |=  Y  implies  w'  |= 
To  show  this  pick  any  w"  >  w' ,  assume  that  w"  |=  A  and  observe  that  it 
to  show  that  w"  |=  B.  Now  from  Lemma  D.l,  it  follows  that  w"  (=  T. 
w"  \=  Y  A  A.  From  i.h.,  w"  \=  B  as  required. 


Ad  B. 
suffices 
Hence 


Y,AdB-^A  Y,Ad  B,B  ^  C 
Case.  - — - OL 

Y,Ad  B 

Pick  any  wK  and  w'  >  w.  We  want  to  show  that  w'  \=  Y  A  {A  D  B)  implies 
w'  \=  C.  Assume  that  w'  \=  Y  and  that  w'  \ =  A  D  B.  From  i.h.  (1)  it  follows  that 
w'  |=  A.  Hence  w'  |=  B.  Now  from  i.h.  (2),  w'  |=  C  as  required. 


□ 


D.2  Canonical  Kripke  Model  and  Completeness 

In  this  section,  we  provide  proofs  of  Lemmas  and  Theorems  from  Section  4.1. 

Lemma  D.4  (Canonical  Model;  Lemma  4.8).  The  model  constructed  in  Definition  4-7 
is  a  Kripke  model  for  DTLq,  i.e.,  it  satisfies  all  conditions  of  Definition  4-1. 

Proof.  We  verify  all  the  conditions  from  Definition  4.1. 

•  (View-closure)  Suppose  K  e  0^,5)  =  S.  Now  by  (Prin-closure),  there  is  a 
principal  Kq  such  that  S  =  {K  \  I\  P  Kq],  It  follows  that  K  P  Kq.  Now  suppose 
K'  y  K.  By  the  fact  that  ^  is  a  pre-order,  K'  P  Kq.  Thus  K'  £5  =  0(r,  S),  as 
required. 

•  (Imp-mon)  By  definition,  (T,  S')  <  (T',5')  implies  S  C  S',  i.e.,  0(T,5)  C  9(Y',S'). 

•  (Imp-refl)  and  (Imp-trans)  follow  by  definition  of  <  in  the  canonical  model. 
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•  (Mod-refl)  Let  w  =  (r,  S')  and  K  E  S.  We  want  to  show  that  (r,  S)  Ex  (r,S). 
For  this,  we  need  to  show  that  K  says  AgT  implies  A  E  T.  This  follows  from  the 
condition  (Fact-closure)  because  K  says  A  A  in  the  sequent  calculus. 

•  (Mod-trans)  Let  (Fi,Si)  Ex  (r2,Sl2)  E k  (^3,  S3).  We  want  to  show  that  K  says 
AeSi  implies  A  E  S3.  By  condition  (Prin-closure) ,  there  is  at  least  one  element 
in  Si,  say  K\ .  Now  observe  that  K  says  A  — E  K  says  I\  says  A.  Hence  K  says 
A  E  Ti  implies  (by  Fact-closure)  that  AT  says  K  says  i  E  T 1,  which  implies  (by 
definition  of  E x )  that  AT  says  A  E  T2,  which  further  implies  that  A  E  r3. 

•  (Mod-closure)  Let  (TpSi)  Ex  (T2,S2)  and  A''  A  K.  We  want  to  show  (Ti,  Si)  Ex' 
(r2,S2).  Clearly,  A"'  E  S2  because  K  E  S2.  Pick  any  A''  says  B  E  Ti.  We  need 

to  show  B  E  T2-  However,  K'  says  B  J\  says  B  for  any  Aq  E  Si.  Thus  by 
(Fact-closure),  K  says  B  eTi.  Hence  by  definition  of  E  x>  A  E  T  2  as  required. 

•  (Rho-her)  Let  P  E  p(Fi,Si)  (i.e.,  P  E  Ti)  and  (ri,Si)  <  (T2,S2).  By  definition  of 
<  in  the  canonical  model,  Ti  C  T2-  Thus  A  E  T 2,  or  equivalently,  P  E  p( T2,  S2). 

•  (F-her)  Let  (ri,Si)  E  F  (i.e.,  T  E  Ti)  and  (TijSi)  <  (T2,S2).  By  definition  of  < 
in  the  canonical  model,  Fj  C  T2-  Thus  _L  E  T2,  or  equivalently,  (T2,S2)  E  F. 

•  (F-univ)  Let  (T,S)  E  F.  By  definition,  _L  E  T.  By  condition  (Prin-closure),  there 

is  at  least  one  principal,  say  K,  in  S.  Also,  _L  P  in  the  sequent  calculus. 
Therefore,  by  condition  (Fact-closure),  P  E  T,  or  equivalently,  P  E  p(T,  S). 

•  (Commutativity)  Suppose  (Ti,Si)  Ex  (T2,S2)  <  ^3,83).  We  want  to  show  that 
(Ti,Si)  Ex  (r3,S3).  Since  K  E  S2  and  S2  C  S3,  K  E  S3.  Also,  K  says  A  E  Ti 
implies  (by  definition  of  Ex)  that  A  E  T 2  which  in  turn  implies  A  E  T3  (since 

r2  c  r3). 

□ 

Lemma  D.5  (Consistent  Extensions;  Lemma  4.9).  Let  (T,  S)  be  an  A  consistent  theory. 
Then  there  is  an  A  consistent  prime  theory  (T*,#)  such  that  T  C  r*. 

Proof.  We  use  Zorn’s  lemma.  Let  us  define  the  set  S  of  theories  as  follows:  S  = 
{(r',5)  |  T'  D  T,  \/K  E  S.  r'  A}.  We  make  the  set  a  partial  order  by  defining 
(r',  S)  <  (T",S)  if  r7  C  r".  Clearly  S  is  non-empty  since  (T,  S')  E  S.  Now  take  any 
chain  (Ti,  S)  <  (T2,S)  <  ...  in  5.  Clearly  (uTi,  S )  is  an  upper  bound  on  this  chain.  We 
show  that  (LT*,  S)  E  S.  First,  clearly  ur*  D  F  since  each  Tj  D  T.  Second,  UFj  A  for 
any  K  E  S.  To  see  this,  assume  (for  the  sake  of  contradiction)  that  UFj  A  for  some 
K  E  S.  Then  there  is  a  finite  subset  T7  of  LlTj  such  that  T7  A.  Since  F7  is  finite, 
there  must  be  some  n  such  that  T7  C  Tn.  Clearly  then  Tn  A,  thus  violating  the  fact 
that  (rn,S)  E  S.  Hence,  ur*  7^  A.  And  therefore,  (urj,S)  E  S. 

By  Zorn’s  lemma,  S  has  a  maximal  element.  Let  this  element  be  (r*,S).  By 

definition  of  S,  T*  A  for  any  I\  E  S ,  so  that  (F*,  S)  is  A  consistent.  We  now  show 
that  (r*,5)  is  a  prime  theory.  To  do  this,  we  verify  the  (Fact-closure)  and  (Primality) 
conditions.  (The  condition  (Prin-closure)  holds  because  we  assume  that  S’  is  a  filter). 


63 


K 

•  (Fact-closure)  Suppose  for  the  sake  of  contradiction  that  T*  — >  C  for  some  K  £  S, 
but  C  fL  r*.  Let  Kq  be  a  minimum  element  of  S  (this  exists  because  S  is  a  filter). 
Clearly  T*,C  ^  A.  (If  not,  then  r* ,  C  ^  A  and  T*  ^  C  would  imply  T*  ^  A 
by  Theorems  B.l  and  B.2,  thus  contradicting  the  A  consistency  of  (r*,S).)  It 

follows  that  for  any  K  £  S ,  T* ,  C  A.  Thus  (T*  U  {C},  S)  £  S.  This  contradicts 
the  maximality  of  (P*.  S). 

•  (Primality)  Suppose  for  the  sake  of  contradiction  that  B  V  C  £  T*  and  B,C  fL  T*. 
Consider  the  theories  (T*  U  {B},  S )  and  (T*  U  {C},  S).  We  claim  that  at  least  one 
of  these  is  A  consistent.  Suppose  on  the  contrary  that  both  are  A  inconsistent. 
Then  T* ,  B  A  and  T* ,  C  A  for  some  KUK2  £  S.  Thus 

where  Kq  is  a  least  element  of  S.  Further,  since  B  V  C  £  T*,  we  would  obtain 
r*  A,  thus  violating  the  A  consistency  of  (r*,S).  Hence  at  least  one  of  the 
theories  (T*  U  {B},S)  and  (T*  U  {C},S')  is  A  consistent.  Assume  without  loss  of 
generality  that  (T*  U  {H},5)  is  A  consistent.  Then  clearly,  (F*  U  {H},5)  £  S , 
which  violates  the  maximality  of  (F* ,  S ) .  Thus  at  least  one  of  B  and  C  must  be 
in  T*,  as  required. 


□ 

Lemma  D.6  (Satisfaction;  Lemma  4.10).  For  each  formula  A,  and  each  prime  theory 
(r,  S'),  it  is  the  case  that  (T,  S )  |=  A  in  the  canonical  model  iff  A  £  T. 

Proof.  We  induct  on  A. 

Case.  A  =  P  {A  is  atomic). 

(r,  s)  \=  p  iff  p  £  P{ r,  s)  iff  p  e  r. 

Case.  A  =  B  A  C. 

Suppose  B  A  C  £  T.  We  want  to  show  that  (T,  S)  |=  B  A  C.  By  (Fact-closure)  on 
the  theory  (T,  S ),  B  £  T  and  C  £  T.  Hence  by  the  i.h.,  (T,  S)  |=  B  and  (T,  S )  |=  C. 
It  follows  then  that  (T,  S')  \=  B  A  C. 

Conversely  suppose  that  (r,S)  |=  B  A  C.  By  definition  (T,  5)  |=  B  and  (T,5)  |= 
C.  By  i.h.,  B,C  £  T.  By  (Fact-closure),  B  A  C  £  T. 

Case.  A  =  B  V  C. 

Suppose  B  V  C  £  T.  We  want  to  show  that  (T,  S)  \=  B  V  C.  By  the  (Primality) 
condition  on  (T,  S),  either  B  £  T  or  C  £  T.  Assume  the  former  (the  other  case  is 
similar).  Then  by  i.h.,  (T,  S)  |=  B.  Hence  by  definition,  (T,  S)  \=  B  V  C. 

Conversely,  suppose  that  (T,S)  |=  B  V  C.  By  definition,  either  (r,S)  |=  B  or 
(r,  S)  \=  C.  Assume  the  former  (the  other  case  is  similar).  Then  by  i.h.,  B  £  T. 
Hence  by  (Fact-closure),  BVCgT. 

Case.  A  =  T. 

Suppose  Ter.  Then  trivially,  (T,  S')  \=  T. 

ft 

Conversely,  suppose  (T,  S )  \=  T.  Since  T  — >  T  for  any  K.  T  £  T  by  (Fact-closure). 
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Case.  A  =  _L. 

(r,  s)  |=  ±  iff  (r,  s)  e  f  iff  ±  e  r. 

Case.  A  =  B  D  C 

Suppose  BdCgT.  Pick  any  (r7,  S')  >  (r,  S).  We  want  to  show  that  (r7,  S')  |=  B 
implies  (r',5')  \=  C.  Assume  (r7,S")  |=  B.  By  i.h.,  B  £  T'.  Also,  by  definition, 

F7  D  r.  Hence,  B  D  C  £  V .  Clearly  B,  B  D  C  ^  C  for  any  K  £  5'.  Thus  by 
(Fact-closure)  on  (r',57),  it  must  be  the  case  that  C  £  T'.  By  i.h.,  (r7,£7)  \=  C, 
as  required. 

Conversely,  suppose  that  (r,5)  |=  B  D  C.  We  want  to  show  that  B  D  C  £  T. 
Assume  for  the  sake  of  contradiction  that  B  D  C  0  T,  and  pick  any  K  £  S'.  Due  to 
(Fact-closure),  it  must  be  the  case  that  T  B  D  C.  It  follows  immediately  (from 

basic  properties  of  the  sequent  calculus)  that  T,  B  B  D  C.  Thus  (T  U  {!?},  S) 
is  B  D  C  consistent.  By  Lemma  D.5,  there  is  a  prime  theory  w  =  (ru{.B}ur7,  S) 
which  is  B  D  C  consistent.  Now  by  i.h.,  w  \=  B.  Also,  since  w  >  (T,S),  and 

(r,  S)  \=  B  D  C,  we  obtain  w  \=  C.  By  i.h.,  C  £  T  U  {B}  U  T'.  Since  C  -^»  B  D  C 
for  any  K,  it  follows  by  (Fact-closure)  on  w  that  B  D  C  £  T  U  {B}  U  T',  which 
violates  the  B  D  C  consistency  of  (r  U  {B}  U  r7,S).  It  follows  therefore,  that 
B  D  C  €  T,  as  required. 

Case.  A  =  K  says  B 

Suppose  K  says  B  £  T.  We  want  to  show  that  (r,  S)  |=  K  says  B.  So  pick 
any  sequence:  (r,  S)  <  ( T’,S ')  (T",S''),  where  I\  £  S" .  Since  T  C  T7, 

I\  says  B  £  T7.  By  definition  of  C*-  in  canonical  models,  B  £  T77.  Hence  by 
i.h.,  (r77,  S")  \=  B.  Since  r7,r77,  S' ,  S''  are  arbitrary,  by  definition  of  satisfaction  it 
follows  that  (r,  S')  |=  K  says  B. 

Conversely,  suppose  that  (r,  S)  \=  K  says  B.  We  want  to  show  that  K  says  B  £  T. 
If  _L  £  r,  this  is  trivial  due  to  the  closure  condition.  Hence  we  may  assume  that 
_L  0  T.  Let  Sk  =  {K'  |  K'  y  K}.  Now  consider  the  theory  (r|^,  Sk)9-  We 
claim  that  this  theory  is  not  B  consistent.  Suppose  on  the  contrary  that  it  is  B 
consistent.  Then  by  Lemma  D.5,  there  is  a  larger  prime  theory  (r7,5^)  that  is 
B  consistent  (T7  D  r|^).  Observe  that  {T,S)  <  (T,  5)  (F7,5a')-  The  first 

relation  is  trivial.  To  prove  that  (T,5)  (T\Sk),  pick  any  K'  says  C  £  T, 

where  K'  >z  K.  We  will  show  that  C  £  T7.  Since  K'  says  C  £  T,  K'  says  C  £  r|ft'. 
Hence,  K'  says  C  £  T7.  Now  observe  that  K'  says  C  C.  So  by  (Fact-closure) 
on  (r7,5A'),  C  £  r7.  Hence  {T,S)  <  (T,S)  \ZK  (r7,5^). 

Next,  from  the  assumption  that  (r,  S)  ^  K  says  B  and  the  fact  that  1  0  T  (so 
that  ( r,S )  is  not  fallible),  we  must  have  (r7,^')  |=  B.  By  i.h.,  B  £  T7.  This 

immediately  violates  the  fact  that  (T',Sk)  is  B  consistent.  Thus  (r|A-,S'A')  is 

K' 

not  B  consistent.  Therefore  there  is  some  K'  £  Sk  such  that  r|/^  — >  B.  Since 

K'  y  K ,  it  follows  from  Theorem  B.l  that  F | k  B.  Thus  T  -f—>  K  says  B  for 
any  K"  £  S.  Thus  by  (Fact-closure)  on  (F,  5),  K  says  B  £  T. 

9r|if  is  defined  here  as  {( K '  says  A)  £  F  |  K'  y  K} 
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□ 

K 

Theorem  D.7  (Soundness  and  Completeness;  Theorem  4.3).  •  — >  A  if  and  only  if  for 
each  Kripke  model  M,  M  \=K  A. 

Proof.  Suppose  •  A.  Then  by  Theorem  D.3,  M  \=K  T  D  A.  Hence,  M  \=K  A. 
Conversely,  suppose  that  for  each  model  M,  M  \=K  A.  Then,  in  particular  for  each  wK 
in  the  canonical  model  w  \=  A.  By  Theorem  4.11,  •  — »  A  (else  there  must  be  a  world 
wK  such  that  w  \f=  A).  □ 


E  Proofs  from  Section  5.1 

In  this  appendix  we  prove  that  the  translation  from  DTLo  to  CS4m  is  correct  (Theo¬ 
rem  5.2).  First,  we  develop  the  axiomatic  system  for  CS4m. 


E.l  The  Axiomatic  System  for  CS4m 

In  Section  5.1,  we  listed  the  axioms  and  rules  of  CS4m  that  are  specific  to  the  modality 
□a-.  Below  we  list  all  the  rules  and  axioms  of  CS4m. 


b  A 


b  uka 


nec 


b  Ad  B 
KB 


b  A 

- rnp 


Axioms: 


(nK(A  D  B))  D  ((□/< -A)  D  (DKB)) 

(□a- a)  d  nK  dk  a 

(Ok A)  d  A 

(OkA)  d  Ok,A  if  K  y  K' 

Ad(BdA) 

(Ad  B)d  ((A  d(Bd  C))  d(Ad  C)) 
Ad  (B  D  (A  A  B)) 

(A  A  B)  D  A 
(A  A  B)  D  B 
Ad  (Aw  B) 

B  D  (A  V  B) 

(AdC)d  ((B  DC)D  ((A  V  B)  D  C)) 
T 

1  D  A 


A  is  an  axiom 


(K) 

(4) 

(T) 

(5) 

(irnpl) 

(imp2) 

(conjl) 

(conj2) 

(coni3) 

(disjl) 

(disj2) 

(disj3) 

(true) 

(false) 


Next,  we  generalize  the  axiomatic  system,  adding  hypothetical  reasoning,  as  we  did 
for  the  axiomatic  system  of  DTLo  (Appendix  C).  We  write  F  bg  A  to  mean  that  A 
follows  from  the  formulas  in  T.  The  rules  of  deduction  are: 


T,  A  hG  A 


-use 


•  b  G  A 

r  bG  uka 


-nec 


ThG  Ad  B  Thc  A 

rbGB 


-rnp 


A  is  an  axiom 
f  bG  A 


-ax 


As  for  DTLo,  we  prove  some  elementary  properties  for  the  generalized  system  of 
CS4m,  and  show  also  that  the  generalized  system  and  axiomatic  system  are  equivalent. 
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Lemma  E.l  (Basic  properties).  The  following  hold. 

1.  (Weakening)  T  he  A  implies  r,r'  b G  A 

2.  (Substitution)  T  bG  A  and  T,  A  b G  B  imply  T  \~g  B 

Proof.  Exactly  as  for  DTLo  in  Lemma  C.l,  since  the  proof  does  not  rely  on  the  specific 
axioms  used.  □ 

Theorem  E. 2  (Deduction).  The  following  hold. 

1.  r  b g  A  A  B  implies  T,  A  bG  B 

2.  T,  A  b g  B  implies  T  bG  A  A  B 

Proof.  Exactly  as  for  DTLo  in  Theorem  C.2.  The  proof  does  not  rely  on  the  axiom  (C), 
which  is  the  only  axiom  present  in  DTLo  that  is  not  present  in  CS4m.  □ 

Theorem  E.3  (G  iff  Axiomatic),  b  A  if  and  only  if  ■  bG  A 

Proof.  In  each  direction  by  straightforward  induction  on  the  given  derivation.  EJ 


E.2  Proof  of  Soundness 

Next  we  prove  soundness  of  the  translation,  •  A  in  DTLo  implies  b  O  D  ( K  A  rAn) 
in  CS4m.  Instead  of  establishing  exactly  this  statement,  we  modify  it  slightly  to  make 
our  induction  easier. 


Lemma  E.4  (Soundness  of  Translation).  If  hB  A  in  DTLq’s  axiomatic  system,  then 
O  bG  rA~>  in  CS4m ’s  generalized  axiomatic  system. 

Proof.  We  induct  on  the  given  derivation  of  b B  A,  case  analyzing  the  last  rule.  (We 
remind  the  reader  that  the  rules  for  the  judgment  b B  are  listed  in  Appendix  C.) 


Case. 


\-H  A 

- nec 

b h  K  says  A 


Let  O  =  Di(KiA  A  K\b),  ■  ■  ■ ,  D^(KnA  A  KnB). 


1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 


O  b G  rbT 
0,K\-g  rbT 

•  be  O  D  (K  D  rvT) 

•  bG  0K(0  D  (K  A  rbT)) 

•  bG  (DkO)  A  Dk(K  A  rAn) 


(i.h.  on  premise) 
(Weakening,  Lemma  E.1.1) 
(Theorem  E.2) 
(Rule  (nec)) 
(Rule  (ax),  (K),  and  rule  (mp)) 


UK  Tig  (Kia  A  K\b)  j  ■  ■  • ,  Ok  □£  (Kha  A  KnB)  bG  Ok(K  A  rAn)  (Theorem  E.2) 
•  l“G  {OefKiA  A  KiB))  A  \3g  ( KiA  A  KiB) 

Og(KiA  A  KiB)  b g  Og  Og  ( I<iA  A  KiB) 


67 


(Rule  (ax)  and  (4)) 
(Theorem  E.2) 


9.  •  \~g  (□£  (KiA  A  Kis))  A  Da  (ifjA  A  A*b)  (Rule  (ax)  and  (S)) 

10.  □£  \3e  (I<iA  A  ifis)  bG  Da-  (^iA  A  KiB)  (Theorem  E.2) 

11.  □^(i£jJ4  A  Kis)  bG  Da  (KiA  A  Kib)  (Lemma  E.1.2  on  8  and  10) 

12.  O  h a  Or(K  A  rAn)  (Lemma  E.1.2  on  11  and  6) 

\~H  A  A  B  \~H  A 

Case.  - mp 

hHB 


1.  0hGrTDrBn 

2.  OhGrT 

3.  OhcrB^ 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (mp)) 


A  is  an  axiom 

Case.  - ax 

hH  A 

We  case  analyze  the  axioms. 

Case.  (Axiom  K)  A  =  (K'  says  (A1  A  B'))  A  ((K1  says  A1)  A  (K'  says  B7)) 


1.01-G  (Uk,((K' A  rA7n)  D  (A"7  A  rRn)))  A  ((Da'(A7  a  rA7n))  A  (Uk,(K' A 
rRn)))  (Rule  (ax)  and  (K)) 

2.  O,  DK/((K'  A  rAn)  A  (K'  A  rBn ))  bG  ((Dk,(K'  A  rAn ))  A  (Uk,(K'  A 

rB7_l)))  (Theorem  E.2) 

3.  •  bG  (A"  A  (rAn  A  rRn))  A  ((AT'  A  rAn)  A  (A"7  A  rBn )) 

(Basic  propositional  theorem) 

4.  •  hG  (Da-' (A''  A  (rAn  A  rBn)))  A  nK,((K'  A  rAn )  A  (AT7  A  rBn )) 

(Rule  (ax),  (K)  and  rule  (mp)) 

5.  Uk,(K'  A  ( rA D  rBn))  hG  □a''((A'/  A  rA/n)  A  (A'7  A  rBn)) 

(Theorem  E.2) 

6.  0,Uk,(K'  A  (rAn  A  rBn))  hG  ((Da :>(K'  A  rbT))  A  (□  k,(K'  A  rRn))) 

(Lemma  E.1.2  on  5  and  2) 

7.  O  bG  (Da-' (A'7  A  (rAn  A  rBn )))  A  ((□*-, (A'7  A  rA7n))  A  (□^(AT'  A 
rBn))) 

(Theorem  E.2) 

Case.  (Axiom  4)  A  =  (K'  says  A7)  D  K'  says  AT7  says  A7 

1.  •  bG  (Da-'(A'7  A  rA7_l))  A  UK,  UK,  (K'  A  rA7_l)  (Rule  (ax)  and  4) 

2.  □X/(A'7  A  rAn)  hG  Da'  Da'  (A'7  A  rA7_l)  (Theorem  E.2) 

3.  •  bG  (Uk,(K'  A  rA7_l))  A  (A7  A  (□iG(iC  A  rA7n)))  (Rule  (ax)  and  (impl)) 

4.  •  hG  □a'((C^'(A7  A  rA7_l))  A  (AT7  A  (Da'(A'  A  R4n))))  (Rule  (nec)) 
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5.  •  bG  (DKi  nKi  (. A '  D  rAn))  D  Uk,{K'  D  {Uk,(K'  D  rAn))) 

(Rule  (ax),  (K)  and  rule  (mp)) 

6.  Dk>  Uk,  ( A '  D  rAn)  bG  Uk\K'  D  (I 3k>(K '  D  rAn )))  (Theorem  E.2) 

7.  Uk,{K'  D  rAn)  bG  Dk,(K'  D  (□/g(A/  D  rAn)))  (Lemma  E.1.2  on  2  and 

6) 

8.  •  bG  ( DKi(K '  D  rAn))  D  D^A'  D  (□iG(A/  3  rAn)))  (Theorem  E.2) 

9.  O  bG  (Uk,(K'  D  rAn))  D  Uk,(K' d  (□a-(^/  rA,_1))) 

(Weakening,  Lemma  E.1.1) 


Case.  (Axiom  C)  A  =  A'  says  ((A'  says  A')  D  A') 


1.  nK,(K'  D  rAn),K'  hG  (Dk,(K'  D  rAn))  D  (AT'  D  rAn) 


2.  D^A'  D  rAn),  A'  bG  UK :,(A'  D  rAn) 

3.  D^A'  ^  rAn),  A'  hG  A'  D  rAn 

4.  □X/(iL/  D  rA/n),  A'  hG  K' 

5.  Uk>(K'  D  rAn),K'  bG  rAn 

6.  •  bG  K'  D  ((Dk>(K'  D  rAn))  D  rAn) 

7.  •  hG  Uk,(K' d  ((D^A'  D  rA/_l))  d  rA,_l)) 

8.  0  hG  Dk,(K'  D  ((D^A'  D  rAn))  D  rA/_l)) 


(Rule  (ax)  and  (T)) 
(Rule  (use)) 
(Rule  (mp)) 
(Rule  (use)) 
(Rule  (mp)) 
(Theorem  E.2) 
(Rule  (nec)) 
(Weakening,  Lemma  E.1.1) 


Case.  (Axiom  S)  A  =  (K\  says  A')  D  (K2  says  A') 


1.  •  bG  (A'  D  A')  D  ((A'  D  rAn)  D  (A-  D  rAn)} 

(Basic  propositional  theorem) 

2.  •  bG  Dk,((K'2  D  A')  D  ((A{  D  rAn)  D  (A'  D  r4W)))  (Rule  (nec)) 

3.  •  hG  (Ok,(K'2  D  AO)  D  ((D^(A{  D  rA'0)  A  Uk,{K'2  D  rA'0) 

(Rule  (ax),  (K),  and  rule  (mp)) 

4.  □*,  (A'  D  AO,  Da'  (A(  D  rA/_l)  hG  (A'  D  rA'0  (Theorem  E.2) 


5.  •  bG  (D,(A'  D  AO)  A  Ok,(K'2  D  A') 

6.  D,(A'  D  AO  bG  D^(A'  d  AO 

7.  •  hG  (nK,(K[  D  rA'0)  A  Dk,(K[  D  rA,_l) 

8.  n^(Ai  D  rA'0  hG  Da'(A[  D  r7W) 

9.  D,(A'  D  A0,D^(A'  D  rA'0  hG  D^(A'  D  r7T) 

(Lemma  E.1.2  on  6  and  4) 


(Rule  (ax)  and  (S)) 
(Theorem  E.2) 
(Rule  (ax)  and  (S)) 
(Theorem  E.2) 


10.  D*(A'  D  AO,  nK,(K[  D  rAn)  hG  □*,  (A'  D  rbT) 

(Lemma  E.1.2  on  8  and  9) 

11.  D£( A'  d  AO  bG  (Dk[{K[  d  rA/_l))  D  □  ( A^  D  rAn)  (Theorem  E.2) 

12.  O  bG  (nR :/(A{  D  rAn))  D  □Jr#(A£  D  rAn)  (Weakening,  Lemma  E.1.1) 


The  remaining  cases  are  straightforward. 

□ 
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E.3  Proof  of  Completeness 

Our  proof  of  completeness  of  the  translation  from  DTLo  to  CS4m  is  semantic,  and  uses 
Kripke  models  of  DTLo  described  in  Section  4  and  Appendix  D.  At  a  high  level,  the 
steps  in  the  proof  are  the  following.  First  we  define  an  interpretation  of  the  formulas 
of  CS4m  in  Kripke  models  of  DTLo,  and  show  that  the  interpretation  is  sound.  This  is 
rather  unusual,  and  works  because  the  logics  DTLo  and  CS4m  are  quite  similar.  Next 
we  show  that  for  any  DTLo  formula  A,  it  is  the  case  that  |=  rAn  in  this  interpretation 
if  and  only  if  |=  A  in  the  usual  Kripke  interpretation  of  DTLo-  Then,  completeness  of 
the  translation  follows  from  completeness  of  DTLo  with  respect  to  its  Kripke  models 
(Theorem  D.7). 

Definition  E.5  (Kripke  Interpretation  of  CS4m).  Let  (W,  9,  <,  (0K)KePT:LrL,  p,  F)  be  a 
Kripke  model  for  DTLo-  Then  for  CS4m  formulas,  we  define  satisfaction  at  a  world  w 
by  induction  on  formulas  as  follows: 

w  |=  P  iff  P  E  p(w). 

w  \=  K  iff  w  £  F  or  K  £  0(w). 

w\=Af\B\Rw\=A  and  w  \=  B. 

w\=A\/BiSw\=A  or  w\=B. 

w\=  T. 

w  \=  _L  iff  w  £  F. 

w  \=  A  D  B  iff  for  all  w' ,  w  <  w'  and  vJ  \=  A  imply  w'  \=  B. 

w  |=  Ok  A  iff  either  roGfor  (for  all  w' ,  w",  w  <w'  w"  implies  w”  j=  A,  and 
for  all  tv',  w  <  w'  implies  w'  |=  A). 

Lemma  E.6  (Monotonicity).  For  any  CS4m  formula  A,  w  \=  A  and  w  <  w'  imply 
w'  |=  A. 

Proof.  By  induction  on  A.  Most  cases  work  as  for  the  proof  of  Lemma  D.l.  The  only 
new  cases  here  are  A  =  K  and  A  =  OkA'. 

Case.  A  =  K.  Since  w  |=  K,  w  E  F  or  K  e  0{w).  In  the  former  case,  by  condition 
(F-her),  w'  S  F.  Thus  w'  \=  K.  In  the  latter  case,  by  condition  (Imp-mon),  K  £  O(w'). 
Thus  w’  \=  K. 

Case.  A  =  Ok  A! .  We  need  to  show  that  w’  |=  Ok  A! .  We  assume  that  because 

otherwise  w'  €  F  by  (F-her),  and  trivially  we  would  have  w'  \=  Ok  A'.  Pick  any  W2,W3 
such  that  w'  <  W2  Ok  w 3.  Clearly,  w  <  W2  Ea'  W3.  Hence  by  assumptions  w  \=  Ok  A' 
and  w  0  F,  we  get  W3  j=  A' .  Next,  pick  any  w"  >  w' .  Clearly,  w  <  w" .  Hence  by 
assumptions  w  \=  Ok  A'  and  w  ^  F,  we  get  w"  |=  A' .  Thus  w'  |=  OkA!  . 

O 


Lemma  E.7  (Falsehood).  For  any  CS4m  formula  A,  w  |=  _L  implies  w  |=  A. 
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Proof.  Exactly  like  that  of  lemma  D.2. 


n 


As  for  DTLo,  given  a  Kripke  model  M  we  say  that  M  |=  A  if  for  each  w  E  M, 
w  \=  A.  This  interpretation  is  sound  in  the  following  sense. 

Lemma  E.8  (Soundness  of  Interpretation) .  If  b  A  in  CSIf71 ,  then  for  each  DTLq  Kripke 
model  M ,  M  \=  A. 

Proof.  Pick  any  model  M.  We  induct  on  the  derivation  of  h  A  in  CS4m  to  show  that 
for  each  w  E  M,  w  |=  A.  We  case  analyze  the  last  rule  in  the  derivation  of  b  A. 


Case. 


b  A 

\-uka‘ 


-nec 


Pick  any  w' ,  w"  such  that  w  <  w'  C k  w" ■  By  i.h. ,  w"  \=  A.  Next,  pick  any  w'  such 
that  w  <  w' .  By  i.h.,  w'  |=  A.  Thus  by  definition  of  satisfaction,  w  |=  F\kA. 


Case. 


b  Ad  B 
KB 


b  A 

- rnp 


1.  w  |=  A  D  B 

2.  w  |=  A 

3.  w  <  w 

4.  w  \=  A  implies  w  |=  B 

5.  w  |=  B 

A  is  an  axiom 

Case.  - ax 

b  A 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Reflexivity  of  <) 
(Defn.  of  satisfaction,  1,  3) 
(2,  4) 


We  analyze  the  possible  axioms  A. 

Case.  (Axiom  IC)  A  =  {UK,(A'  D  B'))  D  ((□  K,A')  D  {UK>B')) 


Pick  any  vJ  >  w,  and  assume  that  w'  |=  □i^/(A/  D  B').  It  suffices  to  show  that 
w'  \=  {\Z\k'A')  D  (JDk'B ’).  Now  pick  any  w"  >  w'  and  assume  that  w"  \=  \Ax’A' . 
Then  it  suffices  to  show  that  w"  |=  □  k'B1  .  We  may  assume  that  w,w',w"  fL  F 
because  otherwise,  by  condition  (F-her),  w"  E  F,  and  trivially  we  would  have 
w"  \=  Uk,B'. 

Pick  such  that  w"  <  W3  W4.  Observe  that  w'  <  W3  FKi  W4.  From 

assumptions  w'  \=  □^/(A/  D  B')  and  w'  0  F  it  follows  that  W4  (=  A'  D  B' . 
Similarly,  from  assumptions  w"  |=  \I\k'A'  and  w"  fL  F  it  follows  that  W4  |=  A'. 
Clearly,  then  W4  j=  B'. 

Next  pick  w 3  such  that  w"  <  W3.  Observe  that  w'  <  W3.  From  assumptions 
w'  \=  □i^/(A/  D  B ')  and  w'  0  F  it  follows  that  W3  \=  A!  D  Bl .  Similarly,  from 
assumptions  w"  |=  Ok1  A'  and  w"  fL  F  it  follows  that  w 3  |=  A! .  Thus  W3  |=  B' . 

It  follows  from  the  definition  of  satisfaction  for  □  k'B'  that  w"  |=  □  k’B' . 
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Case.  (Axiom  4)  A  =  {OriA1)  D  Or/  Ori  A' 


Pick  any  w'  >  re,  and  assume  that  r</  (=  □^-/A/.  It  suffices  to  show  that  w'  |= 
□#/  □#/  A'.  We  may  assume  that  w'  0  F  because  otherwise  w/  |=  □#/  □/<-/  A' 
trivially  by  definition  of  satisfaction. 

Pick  any  W2,u>3  such  that  w'  <  W2  Ea'  wz-  We  must  show  that  W3  \=  Or'A1  .  So 
pick  any  W4,  w$  such  that  103  <  W4  Ea'  W5.  We  must  show  that  W5  \=  A! .  Observe 
that  w'  <  W2  Ea'  W3  <  wa  Ea'  W5.  By  (commutativity),  w'  <  W2  Ea'  wa  Ea'  w'5- 
By  (mod-trans),  w'  <  W2  Ea'  W5-  It  follows  from  assumptions  w'  \=  Or  'A'  and 
w'  F  that  u>5  |=  A! .  Next,  pick  any  W4  such  that  W3  <  W4.  We  must  show 
that  W4  \=  A'.  Observe  that  w'  <  W2  Ea '  ^3  <  wa-  By  (commutativity), 
w1  <  W2  Ea'  wa-  It  follows  from  assumptions  w'  \=  OriA1  and  w'  0  F  that 
W4  \=  A' .  Hence  W3  |=  OriA. 

Next  pick  W2  such  that  w1  <  W2-  We  must  show  that  W2  |=  OriA'  .  So  pick  any 
W3,wa  such  that  W2  <  W3  Ea'  wa-  We  must  show  that  uq  |=  A'.  Observe  that 
w'  <  W2  Ea'  wa ■  It  follows  from  assumptions  w'  |=  OriA'  and  w'  0  F  that 
W4  \=  A' .  Finally  pick  W3  such  that  u>2  <  W3.  We  must  show  that  W3  \=  A' . 
Observe  that  w'  <  W3.  By  assumptions  w'  \=  OriA'  and  w'  0  F  it  follows  that 
W3  \=  A' .  Hence  W2  |=  OriA'  . 

Thus  w'  |=  Ori  Ur,  A' . 

Case.  (Axiom  T)  A  =  (OriA1)  D  A' 

Pick  any  w'  >  w,  and  assume  that  w'  \=  OriA1  .  It  suffices  to  show  that  w'  \=  A. 
We  may  assume  that  w'  0  F .  else  w'  \=  _L  and  by  Lemma  E.7,  w'  \=  A' .  Now 
observe  that  w'  <w' .  Hence  by  definition  of  satisfaction  of  D^'A7,  we  must  have 
w'  |=  A7  as  required. 

Case.  (Axiom  S)  A  =  {F\rA')  D  OriA'  ,  where  K  A  K' 

Pick  any  w'  >  w,  and  assume  that  w'  \=  OrA'  .  It  suffices  to  show  that  w'  \= 
Or' A'.  We  may  assume  that  w'  0  F.  else  we  trivially  have  w'  |=  Or' A'  by 
definition  of  satisfaction. 

Pick  any  W2,W3  such  that  w'  <  w 2  Ea '  ^3-  We  must  show  that  W3  |=  A7.  By 
(mod-closure),  w'  <  W2  Ea  W3.  It  follows  by  assumptions  w'  \=  Or  A'  and  w'  0  F 
that  W3  1 =  A7. 

Next  pick  any  u>2  such  that  w'  <  W2-  We  must  show  that  W2  (=  A7.  This  follows 
immediately  by  assumptions  w'  |=  Da  A7  and  w'  F. 

Thus  w'  |=  Or'A',  as  required. 

The  remaining  cases  are  straightforward,  as  they  do  not  rely  on  modalities. 

□ 

Now  we  prove  a  critical  lemma,  which  states  that  w  \=  rAn  if  and  only  if  w  \=  A,  for 
each  DTLq  formula  A. 
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Lemma  E.9  (Critical  Lemma).  For  each  DTLq  formula  A,  each  Kripke  model  M,  and 
each  w  E  M,  it  is  the  case  that  w  \  =  A  if  and  only  if  w  \=  rAn. 

Proof.  We  induct  on  A,  and  analyze  cases  on  the  top  constructor  in  it. 

Case.  A  =  P  (A  is  atomic).  rA~l  =  P. 

By  definition,  w  \=  A  iff  w  E  p(P )  iff  w  |=  rAn. 


Case.  A  =  A1  A  A2.  rA n  =  rAin  A  E42n. 


w 

\= 

A 

1  A  A2 

iff 

w 

\= 

A\  and  w  =  A2 

(Defn.) 

iff 

w 

\= 

rAi~'  and  w  \=  rA2~] 

(i.h.) 

iff 

w 

\= 

r^in  A  r^2n 

(Defn.) 

Case. 

A 

= 

Ai  V  A2 

.  = 

—  r 

d4in  V  E42n- 

w 

h 

A 

1  v  a2 

iff 

w 

A\  or  w  \=  A2 

(Defn.) 

iff 

w 

rAi~i  or  w  \=  rA2~> 

(i.h.) 

iff 

w 

h 

V  rA2~l 

(Defn.) 

Case.  A  =  Ai  D  A2.  rA n  =  rAin  D  E42T 

Suppose  w  \=  A\  D  A2.  Pick  any  w'  >  w  and  assume  that  w'  \=  r7lin.  It  suffices  to 
show  that  w'  \=  rA2~>.  By  i.h.,  w'  |=  A\.  By  assumption  w  \=  A\  D  A2,  w'  |=  A]  implies 
w'  |=  A 2.  Thus  w'  \=  A 2.  By  i.h.,  w'  |=  r A-p  as  required. 

Conversely,  suppose  w  \=  r  A\^  D  r A2n.  Pick  any  w'  >w  and  assume  that  w'  \=  A\. 
It  suffices  to  show  that  w'  \=  A2.  By  i.h.,  w'  \=  rA\n.  By  assumption  vj  \=  rAi~l  D  r A 2n, 
w'  |=  rA\'1  implies  w'  |=  r A2^.  Thus  w'  |=  r A-p.  By  i.h.,  w'  (=  A2  as  required. 


Case.  A  =  T.  rAn  =  T. 

This  case  is  trivial  because  w  \=  T  for  each  w. 


Case.  A  =  _L.  rAn  =  T. 

By  definition,  w  \=  A  At  w  (z  F  w  \=  rA~l. 

Case.  A  =  K  says  B.  rAn  =  Dx(K  D  rB~i). 

Suppose  w  J=  K  says  B.  We  must  show  that  w  (=  \Dk{K  D  rBn).  We  may  assume 
that  w  fL  F,  otherwise  by  definition  we  have  w  \=  □  k{K  D  rBn). 

Pick  any  w\ ,  w2  such  that  w  <  w\  Ea'  w2-  We  need  to  show  that  w2  \=  K  D  rB~l. 
So  pick  any  W3  such  that  w2  <  W3  and  W3  \=  K.  It  suffices  to  show  that  W3  \=  rBn. 
Now  observe  that  w  <  w\  E/c  w 2  <  W3.  By  (commutativity),  w  <  w\  Eft-  W3.  By 
assumptions  w  \=  K  says  B  and  w  0  F,  we  get  W3  |=  B.  By  i.h.,  W3  |=  rBn,  as  required. 

Next,  pick  any  w\  such  that  w  <  w\.  We  need  to  show  that  wi  \=  K  D  rBn.  Pick  any 
w2  such  that  w±  <  w2  and  w2  \=  K.  It  suffices  to  show  that  w2  |=  rB~' .  From  assumption 
w2  |=  K,  we  get  w2  E  F  or  K  E  0(w2).  If  w2  E  F.  then  by  Lemma  E.7,  w2  |=  rB~l.  If 
K  E  0{w2),  by  (mod-refl)  we  get  w2  E K  w2.  We  therefore  have  w  <  w2  Ea'  w‘2-  By 
assumptions  w  \=  K  says  B  and  w  fL  F,  we  get  w2  |=  B.  By  i.h.,  w2  |=  rBn,  as  required. 
Thus  w  \=  Dk(K  D  rBn). 

Conversely,  suppose  that  w  \=  Da :{K  D  rB~l).  We  must  show  that  w  \=  K  says  B. 
We  may  assume  that  w  fL  F,  otherwise  by  definition  we  have  w  |=  I\  says  B. 
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Pick  any  w i,W2  such  that  w  <  w±  Qk  u;2.  It  suffices  to  show  that  W2  |=  B.  By 
assumptions  w  |=  \Z\r(K  D  rHn)  and  w  fL  F  it  follows  that  w 2  (=  A  D  rHn.  Hence, 
u>2  |=  A  implies  W2  \=  rUT  Now,  by  definition  of  Qk-  A  £  d(w2)-  Thus,  W2  \=  K.  This 
gives  us  VJ2  (=  rBn.  By  i.h.,  W2  \=  B  as  required.  □ 

We  need  one  last  lemma  before  we  establish  soundness  and  completeness.  This 
lemma  states  that  O  is  satisfied  in  all  Kripke  models. 

Lemma  E.10  (Satisfaction  for  orders).  For  every  Kripke  model  M,  and  every  w  £  M, 
w\=0. 

Proof.  We  show  that  w  \=  D  K2)  whenever  K2  F  K\.  Pick  any  w' ,  w"  such  that 

w  <  w’  Cf  w" .  We  need  to  show  that  w"  |=  K\  D  K2.  Pick  any  W3  >  w"  and  assume 
that  W3  |=  K\ .  It  suffices  to  show  that  W3  |=  A'2.  By  assumption  W3  |=  K\ ,  we  get 
1C3  £  F  or  K\  £  9(w3).  If  W3  £  F,  then  W3  \=  K2  by  definition.  If  K\  £  6{w 3),  then  by 
(view-closure)  and  I\2  F  Ki,  we  get  K2  £  $(^>3).  Thus,  W3  \=  K2  as  required. 

Next  pick  w'  such  that  w'  >  w.  We  need  to  show  that  w'  |=  K\  D  K2.  Pick  any 
W2  >  w'  and  assume  that  u>2  \=  K\.  It  suffices  to  show  that  W2  \=  K2.  By  assumption 
W2  |=  K 1,  we  get  W2  £  F  or  K\  £  9(w2)-  If  u’2  £  F,  then  W2  \=  K2  by  definition.  If 
K\  £  9(w2),  then  by  (view-closure)  and  I\2  F  K±,  we  get  K2  £  9{w2).  Thus,  W2  \=  K2 
as  required. 

Hence  w  |=  D  K2)  whenever  K2  F  K\.  and  consequently,  w  \  =  O.  □ 

Theorem  E.ll  (Correctness;  Theorem  5.2).  •  A  in  DTLq  if  and  only  if  b  O  D 
(K  d  r^n)  in  CS4m. 

Proof.  Suppose  •  A.  By  Corollary  C.10,  \~h  K  says  A  in  DTLo’s  axiomatic  sys¬ 
tem.  By  Lemma  E.4,  O  \~g  F\r(K  D  r£P)  in  CS4m’s  axiomatic  system.  Since 
O  h g  (\3k(K  D  r^4n))  D  {K  D  rHn)  by  Axiom  (T),  we  get  O  be  K  D  rAn  by 
(nip).  By  Theorem  E.2,  •  Pg  O  D  (A'  D  rAn),  and  by  Theorem  E.3,  \~  O  D  (K  D  rAn). 

Conversely,  suppose  that  POD  (A  D  rAn)  in  CS4m.  By  Lemma  E.8,  for  each 
Kripke  model  M,  and  each  world  w,  w  \=  O  D  (A  D  rAn).  From  Lemma  E.10,  w  \=  O. 
Therefore,  w  |=  K  D  rAn.  Since  tc  is  arbitrary,  M  \=  K  D  rAn.  Now  pick  any  tc  £  WK . 
By  definition,  w  \=  K.  Using  this  fact  and  M  |=  K  D  rAn,  we  get  w  \=  rAn.  Using 
Lemma  E.9,  we  deduce  w  \=  A.  Since  w  is  arbitrarily  chosen  in  Wlx ,  we  get  M  \=K  A. 
Since  M  is  arbitrary,  by  Theorem  D.7  we  obtain  •  —>  A.  □ 

F  Proofs  from  Section  5.2 

In  this  Appendix  we  prove  that  the  translation  from  ICL  to  DTLo  is  both  sound  and 
complete  (Theorem  5.3).  We  use  a  sequent  calculus  formulation  of  ICL  that  is  shown 
in  Figure  6. 10  This  sequent  calculus  is  taken  from  earlier  work  [33]  (For  a  slightly  more 
detailed,  tutorial  explanation  see  [30]).  It  uses  two  categorical  judgments:  A  true  and 
K  affirms  A.  The  latter  means  that  principal  K  states  that  A  is  true.  Just  as  A  says  A 

ll)We  could  have  avoided  using  the  sequent  calculus  for  ICL,  and  worked  with  the  axiomatic  system, 
without  any  significant  change  to  the  proof  method.  Using  the  sequent  calculus  eliminates  trivial  steps 
that  often  arise  in  formal  axiomatic  proofs,  and  compacts  our  proofs. 
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(P  atomic) 

- init 

T,Pb  P 

T  b  K  affirms  A 

-saysR 


T  b  A 


-affs 


r  b  K  says  A 


T  b  K  affirms  A 

T,  K  says  A,  A  b  K  affirms  C 
T,  K  says  A  b  K  affirms  C 


saysL 


r  b  a  r  b  b 
rbiAE 

r  b  a 

-V  Ri 


-AR 


r,AAB,A,BhC 

r,AABhC 


AL 


T,  A  A  B,  A,  B  b  K  affirms  C 
T,  A  A  B  b  K  affirms  C 


ALaff 


rbe 


-V  R2 


T,A\/  B,Ah  C  T,AV  B,B\-  C 


Tb  AV5  rbiV5  T,AVB\-C 

r,  A  V  B,  A  b  K  affirms  C  T,AV  B,B\~  K  affirms  C 


VL 


TR 


r  b  t 

T,A  b  P 


T,  A  V  B  b  K  affirms  C 
-_LL 


dR 


r.lbC  r,lbif  affirms  C 

r,iDBbA  T,Ad  B,B\-C 


VLaff 

LLaff 


r  b  A  D  P  T,Ad  B\-C 

T,ADBhA  T,  A  D  B,  B  \~  K  affirms  C 
r,  A  D  B  b  K  affirms  C 


OL 


DLaff 


Figure  6:  Sequent  Calculus  for  ICL 


internalizes  K  claims  A  in  DTLo,  K  says  A  internalizes  K  affirms  A  in  ICL.  Unlike 
DTLo  where  the  judgment  K  claims  A  only  occurs  in  the  hypothesis,  but  never  as  the 
conclusion  of  a  sequent,  the  judgment  K  affirms  A  in  ICL  occurs  only  in  the  conclusions 
of  sequents  and  never  in  the  hypothesis.  This  shift  is  due  to  the  difference  in  the  nature 
of  says  in  the  two  logics.  As  usual,  the  judgment  name  true  is  often  elided.  It  is  quite 
easy  to  show  that  this  sequent  calculus  is  equivalent  to  the  axiomatic  presentation  for 
ICL  (Section  5.2). 

Lemma  F.l.  b  A  in  ICL's  axiomatic  system  if  and  only  if  ■  b  A  in  ICL’s  sequent 
calculus. 

Proof.  It  is  easy  to  show  by  induction  that  b  A  implies  •  b  A.  For  the  proof  in  the  other 
direction,  we  generalize  the  statement,  and  prove  by  induction  that  whenever  T  b  A  in 
the  sequent  calculus,  then  b  T  D  A  in  the  axiomatic  system.  (This  requires  that  we 
establish  the  deduction  theorem  for  the  axiomatic  system,  but  that  is  straighforward.) 

□ 

The  sequent  calculus  for  ICL  admits  two  cut  principles,  as  the  following  lemma 
states. 
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Lemma  F.2  (Admissibility  of  Cut).  The  following  hold  for  ICL’s  sequent  calculus. 

1.  r  b  A  and  T,A\~C  imply  T  b  C 

2.  T  H  K  affirms  A  and  T,A\~K  affirms  C  imply  T  b  K  affirms  C. 

Proof.  See  [33],  Theorem  2,  clauses  4  and  5.  □ 

Similarly,  the  identity  property  also  holds  for  ICL’s  sequent  calculus. 

Lemma  F.3  (Identity).  For  each  formula  A,  it  is  the  case  that  T,  A\~  A. 

Proof.  See  [33],  Theorem  2,  clause  2.  □ 


F.l  Proof  of  Soundness 

Before  proving  soundness  we  prove  a  basic  lemma. 

Lemma  F.4  (Global  Lemma).  For  each  ICL  formula  A  and  each  principal  K  in  DTLq, 
it  is  the  case  that  rAn  global  rA~'  in  DTLq. 

Proof.  We  induct  on  A,  and  case  analyze  its  top  constructor. 

Case.  A  is  atomic. 


(Rule  (init)) 
(Rule  (claims)) 
(Rule  (saysR)) 
(Rule  (saysR)) 
(Rule  (saysL)) 

(Theorem  B.3) 

(Rule  (claims)) 

(Theorem  B.3) 

(Rule  (claims)) 

(Rule  (AR)  on  2  an  4) 

6.  £  claims  rA~',£  claims  rB~[,£  says  rA~l,f'  says  rB^,rA~>  A  rB~>  £  says  (rA~l  A 
rBn)  (Rule  (saysR)) 


1.  £  claims  A,  A  — >  A 

2.  £  claims  A  A 

3.  £  claims  A  —>  £  says  A 

4.  £  claims  A,  £  says  A  -^4  £  says  £  says  A 

K 

5.  £  says  A  — >  £  says  £  says  A 
Case.  A  =  A\  f\  A2 

1.  £  claims  rAV  claims  rRn,rAn  4 

2.  £  claims  rA~',£  claims  rB~l  rAn 

3.  £  claims  r A^,£  claims  rB~',rB~>  rRn 


4.  £  claims  rAn,  £  claims  rB 

5.  £  claims  rAn,  £  claims  rB~ 


rAn  A  rRn 


7.  £  says  rA^,£  says  rRn,rAn  A  rRn  £  says  (rAn  A  rRn)  (Rule  (saysL)  twice) 
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8.  r7T  -4  £  says  r7T 

9.  r7T,  £  says  rB n,  rAn  A  4  £  says  (r7P  A  rB n) 

10.  r£P  4  £  says  rB~> 

11.  r^4n,  rRn,  r7T  A  rRn  4  £  says  (r^n  A  rRn) 

12.  r7P  A  rBn  4  £  says  (r7T  A  rRn) 

Case.  A  =  A\  V  7l2 

1.  £  claims  rA~',rA^  4  r^n 

2.  £  claims  T4n,r^n  4  V  rRn 

3.  £  claims  T4n  4  rAn  V  rRn 

4.  £  claims  r7P,  l'  says  rAn,  rAn  V  rRn  -4  ^  says  (r7P  V 

5.  £  says  T4n,  r7T  V  rRn  -4  £  says  (r^n  v  rRn) 

6.  r7P  -4  £  says  r7P 

7.  r7T,  rAn  V  rRn  -4  i  says  (r7P  V  rRn) 

8.  £  says  rRn,  r7P  V  rRn  -4  £  says  (r7T  V  rRn) 

9.  rRn  -4  £  says  rRn 

10.  rB n,  r^n  V  rRn  4,  £  Says  (rAn  V  rRn) 

11.  r7P  V  rRn  4  £  SayS  (rAi  v  rBi) 

Case.  A  =  T 

1.  •  4  T 

2.  T  -4  £  says  T 
Case.  A  =  _L 

1.  _L  -4  ^  says  A 
Case.  A  =  A\  D  ^42 

1.  £  claims  rJ4i“l  D  R42n,r,4in  D  rA2n  4  D  R42n 

2.  £  claims  T4in  D  042n  4  d  r7l2n 

77 


(i.h.  on  7l) 
(Theorem  B.2  on  8  and  7) 
(i.h.  on  B) 
(Theorem  B.2  on  10  and  9) 
(Rule  (AL)) 

(Theorem  B.3) 
(Rule  (V  Ri)) 
(Rule  (claims)) 
rBn)  (Rule  (saysR)) 

(Rule  (saysL)) 
(i.h.  on  A) 
(Theorem  B.2  on  6  and  5) 
(Similar  to  5) 
(i.h.  on  B ) 
(Theorem  B.2  on  9  and  8) 
(Rule  (VL)  on  7  and  10) 

(Rule  (TR)) 
(Rule  (saysR)) 

(Rule  (_LL)) 

(Theorem  B.3) 
(Rule  (claims)) 


(Rule  (saysR)) 


3.  £  claims  rylin  D  rA2n  4  £  says  (rA^  D  R42n) 

4.  £  claims  T4in  D  rA2^,£  says  (rA^  D  rA2 n)  -4  £  says  £  says  (r^n  D  r^u) 


5.  £  says  (r^in  D  rA2n)  -4  £  says  *  says  (r^n  D  r 
Case.  A  =  K  says  B. 

1.  £  claims  K  says  rPn,  A"  says  rB n  4  A'  says  rPn 

2.  £  claims  K  says  rPn  4  K  says  rL>n 

3.  £  claims  K  says  rPn  4  £  says  K  says  rPn 

4.  £  claims  K  says  rL>~1,  £  says  K  says  rPn  -4  ^  says  ^  says  x  says  rPn 

5.  £  says  K  says  rRn  -4  £  says  £  says  says  rLP 


(Rule  (saysR)) 
(Rule  (saysL)) 

(Theorem  B.3) 
(Rule  (claims)) 
(Rule  (saysR)) 
(Rule  (saysR)) 
(Rule  (saysL)) 


□ 

Now  we  prove  soundness  of  the  translation.  If  T  is  a  set  of  DTLo  formulas,  we  use  the 
notation  £  claims  T  to  denote  the  DTLo  hypothesis  obtained  by  prefixing  each  formula 
in  T  with  £  claims. 

Lemma  F.5  (Soundness  of  Translation).  The  following  hold  for  any  ICL  formula  A, 
any  ICL  principal  K ,  and  any  set  T  of  ICL  formulas. 

£ 

1.  //T  L  A  in  ICL's  sequent  calculus,  then  £  claims  rrn  — »  rAn  in  DTLq. 

K 

2.  If  T  h  K  affirms  A  in  ICL’s  sequent  calculus,  then  £  claims  rrn  — >  rA~l  in  DTL$. 

Proof.  We  prove  both  statements  by  simultaneous  induction  on  the  given  proofs  in  ICL’s 
sequent  calculus.  We  analyze  cases  of  the  last  rule. 


Proof  of  (1). 

( P  atomic) 

Case.  - init 

r,Pb  p 

1.  £  claims  rTn,  £  claims  £  says  P,  £  says  P,  £  claims  P,p4p 

2.  £  claims  rTn,  £  claims  £  says  P,  £  says  P,  £  claims  ?4p 

3.  £  claims  rTn,  £  claims  £  says  P,  £  says  p4p 

4.  £  claims  rTn,  £  claims  £  says  p4p 

5.  £  claims  rTn,  £  claims  £  says  P  4  ^  says  P 


(Rule  (init)) 
(Rule  (claims)) 
(Rule  (saysL)) 
(Rule  (claims)) 
(Rule  (saysR)) 
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Case. 


ThA’  affirms  A 
T  b  K  says  A 


saysR 


1.  £  claims  rrn  -4  ryT 


2.  £  claims  rrn  4  K  says  ryl_l 

3.  £  claims  rrn  4  £  says  K  says  ryP 


Case. 


Th  A  T  \~  B 
r  h  A  A  B 


AR 


(i.h.  on  premise) 
(Rule  (saysR)) 
(Rule  (saysR)) 


1.  £  claims  rrn  4  rAn 

2.  £  claims  rrn  4  rL>n 

3.  £  claims  rrn  4  r7P  A  rL>n 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 


Case. 


t,aab,a,b\-  c 

— - — - AL 

r,A  A  RFC 


1.  £  claims  rrn,£  claims  (rAn  A  rBn),£  claims  rA~^,£  claims  rB~l  4  rCn 

(i.h.  on  premise) 

2.  £  claims  rrn,  £  claims  (r^4n  A  rB~'),£  says  rA~>,  £  says  rRn  4  rCn 

(Weakening  and  Rule  (saysL)) 

3.  rAn  4  £  says  rAn  (Lemma  F.4) 

4.  £  claims  rrn,£  claims  (rAn  A  rRn),  rA^,£  says  rRn  4  rCn 

(Theorem  B.2  on  3  and  2) 

5.  rBn  4  £  says  rBn  (Lemma  F.4) 

6.  £  claims  rrn,  £  claims  (r An  A  rB~'),rAn,  rB~]  4  rCn  (Theorem  B.2  on  5  and  4) 

7.  £  claims  rrn,  £  claims  (rAn  A  rB~'),rA~>  A  rRn,  rAn,  rB~'  4  rC'~l  (Weakening) 

8.  £  claims  rTn,  £  claims  (r7T  A  rRn),  r7T  A  rRn  4  rc"i  (Rule  (AL)) 

9.  £  claims  rrn,7  claims  (rAn  A  rB~i )  4  rCn  (Rule  (claims)) 


Case. 


r  h  a 
r  h  a  v  B 


V  Ri 


1.  £  claims  rrn  4  rAn 


(i.h.  on  premise) 
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2.  £  claims  rrn  — >  rA~>  V  rB~] 


(Rule  (V  Ri)) 


Case. 


rhB 

Th  Ay  B 


V  R2 


1.  £  claims  rrn  —t  rBn 

2.  £  claims  rrn  — t  rA~>  V  rB~> 


Case. 


T,AV  B,A\-  C  T,Av  B,B  h  C 

— - - - - VL 

r,AvBi-c 


(i.h.  on  premise) 
(Rule  (V  R2)) 


1.  £  claims  rrn,^  claims  (r7Ln  V  rB~'),£  claims  rA~l  —>  rC~l  (i.h.  on  1st  premise) 

2.  £  claims  rrn,^  claims  (r An  V  rBn),£  says  rA~l  —>  rCn 

(Weakening  and  Rule  (saysL)) 

3.  rAn  £  says  rA~l  (Lemma  F.4) 

4.  £  claims  rrn,^  claims  (rAn  V  rB~'),rA~>  —>  rCn  (Theorem  B.2  on  3  and  2) 

5.  £  claims  rTn,^  claims  (r7P  V  r-Bn),r7P  V  rLC,r7P  —>  rCn  (Weakening) 

6.  £  claims  rTn,  £  claims  (r7P  V  rL>n),  rAn  V  rB~l,  rB~'  rCn  (Similar  to  5) 

7.  £  claims  rTn,^  claims  (r7Ln  V  rB~l),rA~l  V  rB~>  rC~>  (Rule  (VL)  on  5  and  6) 

8.  £  claims  rTn,^  claims  (r7P  V  rB~> )  —>  rCn  (Rule  (claims)) 

Case.  - TR 

r  h  t 


1.  £  claims  rTn  — >  T 


Case. 


r,i  h  c 


-_LL 


1.  £  claims  rrn,  £  claims  X,  X  rCn 

2.  £  claims  rrn,  £  claims  _L  —>  rCn 


Case. 


T,A\-  B 

— - dR 

Th  Ad  B 


1.  £  claims  rTn,  £  claims  rAn  —>  rB~' 

2.  £  claims  rTn,  £  says  rA~l  rB~> 


(Rule  (TR)) 


(Rule  (XL)) 
(Rule  (claims)) 
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(i.h.  on  premise) 
(Weakening  and  Rule  (saysL)) 


3.  rAn  4  £  says  r7T 

4.  £  claims  rrn,R4n  4  r5n 

5.  I  claims  rrn  4  r7P  D  r-Bn 

6.  I  claims  rrn  4  £  says  (ryP  D  r-Bn) 

T,AdBYA  T,AdB,B\~C 

Case.  - DL 

T ,  A  D  B  \~  C 


(Lemma  F.4) 
(Theorem  B.2  on  3  and  2) 
(Rule  (DR)) 
(Rule  (saysR)) 


1.  I  claims  rTn,  £  claims  l  says  (r An  D  rB~l)  4  rA~'  (i.h.  on  1st  premise) 

2.  £  claims  rTn,  £  claims  £  says  (r7P  D  rB^),£  claims  rBn  4  rCn 

(i.h.  on  2nd  premise) 

3.  £  claims  rTn,  £  claims  £  says  (r7P  D  rRn), I  says  rL>n  4  rCn 

(Weakening  and  Rule  (saysL)) 

4.  rL>n  4  £  says  rBn  (Lemma  F.4) 

5.  £  claims  rrn,  £  claims  £  says  (r An  D  rBn),  rRn  4  rCn  (Theorem  B.2  on  4  and  3) 

6.  £  claims  rTn,  £  claims  £  says  (r7P  D  rRn),  R4n  D  rRn  4  rCn 

(Rule  (dL)  on  1  and  5) 

7.  £  claims  rrn,f  claims  £  says  (r An  D  rBn),f?  says  (r7P  D  rRn),^  claims  (rAn  D 

rB”l),r7l”1  D  rRn  4  rC'~l  (Weakening) 

8.  £  claims  rrn,l?  claims  £  says  (rAn  D  rRn),f  says  (rRn  D  rB~l),£  claims  (rAn  D 

rRn)  4  (Rule  (claims)) 

9.  £  claims  rrn,  £  claims  £  says  (r7P  D  rRn), £  says  (r7P  D  rRn)  4  rCn 

(Rule  (saysL)) 

10.  £  claims  rrn,f  claims  £  says  (r7P  D  rRn)  4  rC~'  (Rule  (claims)) 


Proof  of  (2). 

rhd 

Case.  - affs 

T  h  K  affirms  A 

£ 

1.  £  claims  rrn  — >  rA~'  (i.h.  (1)  on  premise) 
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2.  £  claims  rrn 


K 


(Theorem  B.l  on  1) 


‘TP 


T,  K  says  A,  A  h  K  affirms  C 

Case.  - saysL 

T,  K  says  A  h  K  affirms  C 


K 

1.  £  claims  rrn,  £  claims  £  says  K  says  rAn,  £  claims  rAn  — >  rCn  (i.h.  on  premise) 

2.  £  claims  rrn,  £  claims  £  says  K  says  rA~l ,  £  says  rAn  rCn 

(Weakning  and  Rule  (saysL)) 


K 


3.  rA^  ^  £  says  r7P 

4.  £  claims  rrn,  £  claims  £  says  K  says  rAn,  rA~i 


K 


(Lemma  F.4) 
(Theorem  B.2  on  3,  2) 


5.  £  claims  rT^,£  claims  £  says  K  says  r7P,£  says  K  says  rA~l,£  claims  K  says 


~7P,  K  says  rA~1,  K  claims  rAn,  rAn 


K 


(Weakening) 


6.  £  claims  rTn,^  claims  £  says  K  says  r7P,£  says  K  says  rA^,£  claims  K  says 


~7P,  K  says  ry4n,  K  claims  rA~' 


K 


'CP 


(Rule  (claims)) 


7.  £  claims  rTn,f)  claims  £  says  K  says  rA^,£  says  R'  says  ryP,f?  claims  K  says 


~7P,  Ji  says  rA~l 


^  rCn  (Rule  (saysL)) 

8.  £  claims  rT^,£  claims  £  says  K  says  rA~',£  says  K  says  rAn,^  claims  K  says  r7P  —> 

rCn  (Rule  (claims)) 

9.  £  claims  rT^,£  claims  £  says  K  says  rAn,£  says  K  says  r7P  rC'~l  (Rule  (saysL)) 


10.  £  claims  rTn,  £  claims  £  says  K  says  rA~l 

V ,  A  A  B ,  A,  B  \~  I\  affirms  C 

Case.  - ALaff 

T,  A  A  B  h  K  affirms  C 


K 


(Rule  (claims)) 


K 


1.  £  claims  rrn,£  claims  (rAn  A  rBn),£  claims  rA~[,£  claims  rB~[  —>■  rCn 

(i.h.  on  premise) 

2.  £  claims  rTn,^  claims  (r7P  A  rB^),£  says  04 V  says  rRn  rCn 

(Weakening  and  Rule  (saysL)) 

3.  rAn  —>  £  says  rAn  (Lemma  F.4) 

4.  £  claims  rrn,  f  claims  (rAn  A  rRn),  r7P,  £  says  rRn  rCn 

(Theorem  B.2  on  3  and  2) 


LB" 


A' 


says  rBn 


(Lemma  F.4) 


82 


6.  £  claims  rTn,  £  claims  (r An  A  rB~i),  r7P,  rB~i  —f  rCn  (Theorem  B.2  on  5  and  4) 

7.  £  claims  rTn,  £  claims  (rAn  A  rB~i),  rAn  A  rB~',  rAn,  rBn  rCn  (Weakening) 


8.  £  claims  rTn,  £  claims  (rAn  A  RBn),  rAT  A  rRn  rCn  (Rule  (AL)) 

9.  £  claims  rTn,^  claims  (r^4n  A  rB~i )  rCn  (Rule  (claims)) 


Case. 


T,A\/B,A\-K  affirms  C  T.AV  B,B  h  K  affirms  C 
T,  A  V  B  h  K  affirms  C 


VLaff 


1.  £  claims  rTn,f'  claims  (rAn  V  rB~'),£  claims  rA~l  —>  rC~l  (i.h.  on  1st  premise) 

2.  £  claims  rTV  claims  (rAC  VrRn),£  says  ^  rCn 


(Weakening  and  Rule  (saysL)) 

3.  rA~l  —>■  £  says  rAn  (Lemma  F.4) 

4.  £  claims  rTn,f'  claims  (rAn  V  rBn),rAn  rCn  (Theorem  B.2  on  3  and  2) 

5.  £  claims  rTn,  £  claims  (rAln  V  rB~>),  rA~>  V  rB~l,  rAn  —>  rCn  (Weakening) 

6.  £  claims  rTn,  £  claims  (rAT  V  rB^),rA^  V  rRn,  rRn  -^>  rCn  (Similar  to  5) 

7.  £  claims  rTn,f'  claims  (rAn  V  rB~'),rA~l  V  rB~>  —>  rC~l  (Rule  (VL)  on  5  and  6) 

8.  £  claims  rT_l,f'  claims  (rAn  V  rB~>)  rCn  (Rule  (claims)) 

Case.  - _LLaff 


Llhff  affirms  C 


1.  £  claims  rTn,  £  claims  _L,  T 


K 


Xn 


2.  £  claims  rrn,  ^  claims  _L 


T.ADBhA  r,ADB,BI-/{  affirms  C 

Case.  - DLaff 

T,AdB\~K  affirms  C 


1.  £  claims  rTn,  ^  claims  £  says  (r7P  D  rLC)  — >  ryP 

2.  £  claims  rTn,  £  claims  £  says  (r7P  D  rB~')  —>  rA~> 

3.  £  claims  rTn,  £  claims  £  says  (r7P  D  rRn),  f'  claims  rLP 


(Rule  (TL)) 
(Rule  (claims)) 


(i.h.  on  1st  premise) 
(Theorem  B.l  on  1) 


K 


rC~' 


(i.h.  on  2nd  premise) 

4.  £  claims  rTn,  £  claims  £  says  (r7P  D  rLC),  £  says  rL>n  rCn 

(Weakening  and  Rule  (saysL)) 
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5.  rB~]  ■—>  £  says  rB~'  (Lemma  F.4) 

6.  £  claims  rrn,  £  claims  £  says  (r An  D  rBn),  rBn  rCn  (Theorem  B.2  on  5  and  4) 

7.  £  claims  rTn,  £  claims  £  says  (rAn  D  r5n),  OT1  D  rBn  rCn 

(Rule  (dL)  on  2  and  6) 

8.  £  claims  rT^,£  claims  £  says  (r A”1  D  riC),/?  says  (rAn  D  rBn),£  claims  (rAn  D 

rRn) ,  r  An  D  rRn  rCn  (Weakening) 

9.  £  claims  rTn,7'  claims  £  says  (r An  D  ri3”l),i?  says  (rAn  D  rBn),£  claims  (rAn  D 

rRn)  ^  rCn  (Rule  (claims)) 

10.  £  claims  rTn, ^  claims  £  says  (rAn  D  rSn),^  says  (rAn  D  r£n)  rCn 

(Rule  (saysL)) 

11.  £  claims  rTn,  l  claims  £  says  (rAn  D  rRn)  rCn  (Rule  (claims)) 

□ 


F.2  Proof  of  Completeness 

We  prove  completeness  of  the  translation  by  a  method  of  simulation  between  proofs. 
First  we  characterize  syntactically  the  sequents  that  can  arise  in  a  proof  of  a  translated 
formula.  We  call  such  sequents  regular  sequents.  Next,  we  define  an  inverse  translation 
(l- j)  from  regular  sequents  to  sequents  of  ICL,  and  prove  by  induction  that  any  proof  in 
DTLo  that  ends  in  a  regular  sequent  can  also  be  simulated  (under  the  inverse  translation) 
in  ICL.  From  this  completeness  follows  immediately.  As  a  convention,  we  use  the  letter 
k  to  denote  a  principal  from  ICL,  and  K  to  denote  a  principal  from  DTLo-  The  latter 
may  either  be  a  principal  from  ICL  or  £. 

Definition  F.6  (Regular  Sequents).  A  DTLo  hypothesis  T  is  called  regular  if  it  contains 
assumptions  of  the  following  forms  only:  rAn,  k  claims  rAn,  k  says  rAn,  rAn  D  r£>n,  P, 
£  claims  k  says  rAn,  £  claims  rA~l  D  rBn,  or  £  claims  P. 

A  DTLo  sequent  is  called  regular  if  it  falls  into  one  of  the  two  cateories: 

k 

1.  (o-regular)  T  — >  rCn,  where  T  is  a  regular  hypothesis. 

t 

2.  (/3-regular)  T  — >  C,  where  T  is  a  regular  hypothesis,  and  C  has  one  of  the  forms 
rAn,  k  says  rAn,  rAn  D  rBn,  or  P. 

Definition  F.7  (Inverse  Translation).  The  inverse  translation  for  regular  hypothesis 
r  (written  i_r_i)  is  defined  pointwise,  where  the  inverse  translation  for  assumptions  is 
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defined  as  follows: 


LrbPj 

=  A 

l/c  claims  rA^ j 

=  k  says  A 

l  k  says  r^4nj 

=  k  says  A 

l rAn  D  rPn J 

=  Ad  B 

lPj 

=  P 

l£  claims  k  says  rA~'_i 

=  k  says  A 

\_£  claims  rAn  D  rBn j 

=  Ad  B 

l £  claims  P j 

=  P 

k 

The  inverse  translation  for  the  a-regular  sequent  T  — >  rCn  is  defined  as  lTj  h  K  affirms 

l 

C.  The  inverse  translation  for  the  /3-regular  sequent  T  — >  C  is  defined  as  lTj  b  lCj, 
where  the  inverse  translation  of  C  is  defined  as  follows: 

LrbPj  =  A 

l  k  says  rbPj  =  k  says  A 
L  rAn  D  rPn  J  =  Ad  B 

lPj  =  P 

Lemma  F.8  (Completeness  of  Translation).  The  following  hold, 
k 

1.  If  T  — >  rCn  is  ot-regular  and  provable  in  DTLq,  then  lTj  b  K  affirms  C  in  ICL's 
sequent  calculus. 

i 

2.  If  T  — >  C  is  /3-regular  and  provable  in  DTLq ,  then  lTj  b  lCj  in  ICL's  sequent 
calculus. 

Proof.  We  prove  both  statements  by  a  simultaneous  induction  on  the  depths  of  the  given 
derivations,  and  case  analyze  the  last  rule  in  the  derivations. 


Proof  of  (1). 


Case. 


P  atomic 

T,pip 


init 


1.  lTj,  P  b  P 

2.  lTj,  P  b  k  affirms  P 


(Rule  (init)) 
(Rule  (affs)) 


T,  k  claims  rAn,  rAn  rC~>  kPk 
Case.  - - - claims 

T,  k  claims  rbT  4  rC~' 

1.  lTj,  k  says  A,A\~k  affirms  C  (i.h.  on  premise) 

2.  lTj,  k  says  A  b  k  affirms  C  (Rule  (saysL) 

r,£  claims  A,  A  4  rCn  tPk 
Case.  - - - claims 

T,£  claims  A^rC^ 

By  regularity,  A  must  have  one  of  the  forms  k  says  rPn,  rPin  D  r B-2 1,  or  P.  It  is 
easy  to  check  that  in  each  case,  i_P  claims  ^4j  =  lAj.  Thus  we  have: 
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1.  i_r_i,  \_£  claims  Aj,  i_A_i  h  k  affirms  C 

2.  i_r_i,  \_£  claims  Aj  h  k  affirms  C 


(i.h.  on  premise) 
(Strengthening;  \_£  claims  Aj  =  lAj ) 


r\e  4  c 

Case.  — - - saysR 

r  4  £  says  c 

By  regularity,  £  says  C  must  have  form  rC'/_l,  and  hence  C  must  have  one  of  the 
forms  k!  says  r A rAn  D  rL>n,  or  P.  In  each  case,  observe  that  the  premise  is  /3-regular, 
and  that  lCj  =  l £  says  C j.  Thus  we  have 


1.  i_r|^j  h  lCj 

2.  lTj  h  lCj 

3.  lTj  h  k  affirms  lCj 

4.  lTj  h  k  affirms  \_£  says  C j 

T,  k'  says  rAn,  k'  claims  rAn  4  rCn 
Case.  - - - saysL 

T,k'  says  r A"1 2 3 4 5 6  4  ^ 


(i.h.  (2)  on  premise) 
(Weakening) 
(Rule  (affs)) 
(lCj  =  l i  says  Cj) 


1.  lTj,  k!  says  A,  /c'  says  A\~  k  affirms  C  (i.h.  on  premise) 

2.  lTj,  A/  says  A\~  k  affirms  C  (Strengthening) 

T,  t  says  A,  l  claims  A  4  rC~i 
Case.  - - saysL 

r,  £  says  A  4  rCn 

By  regularity,  A  must  have  one  of  the  forms  k'  says  ryl/n,  r£P  D  rCn,  or  P.  In  each 
case,  observe  that  the  premise  is  also  cr-regular,  and  that  l£  says  A  j  =  l£  claims  Aj. 

1.  lTj,  l£  says  Aj,  l£  claims  Aj  h  k  affirms  C  (i.h.  on  premise) 

2.  lTj,  a  says  Aj  H  k  affirms  C  (Strengthening;  \_£  says  Aj  =  \_£  claims  Aj) 

r  4  rAn  r  4 

Case.  - - - AR 

r  4  rAn  a  rRn 


1.  lTj  h  k  affirms  A 

2.  lTj  h  fc  affirms  B 

3.  A,  B  \~  A  A  B 

4.  A,  B  b  k  affirms  (A  A  R) 

5.  lTj,  A  h  k  affirms  (A  A  B) 

6.  lTj  b  fc  affirms  (A  A  R) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Provable  in  ICL) 
(Rule  (affs)) 
(Lemma  F.2.2  on  2  and  4) 
(Lemma  F.2.2  on  1  and  5) 
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(i.h.  on  premise) 
(Rule  (ALaff)) 


Case. 


r,T4n  A  rB^,rA^,rB~'  ^ 
r,ryC  A  rRn  4  rCn 


rCn 
- AL 


1.  i_r_i,  A  A  B,  A,  B  P  k  affirms  C 

2.  i_r_i,  A  A  B  P  k  affirms  C 

r  4  rAn 

Case.  — - V  Ri 

rirAnV  rB n 

1.  Lrj  P  fc  affirms  A 

2.  ,4  h  A  V  B 

3.  A  P  k  affirms  (A  V  1?) 

4.  P  k  affirms  {A  V  R) 

T  4  rB~i 

Case.  — - V  R2 

rirAnV  rRn 


(i.h.  on  premise) 
(Provable  in  ICL) 
(Rule  (affs)) 
(Lemma  F.2.2  on  1  and  3) 


1.  i_rj  h  k  affirms  B 

2.  B\~  A\J  B 

3.  B  \~  k  affirms  {A  V  B ) 

4.  lPj  h  k  affirms  ( A  V  B ) 

T,  V  rRn,  rPT  4  rCn  T,  rPT  V  rRn,  r5n 
Case.  — - - - - - - - 

r,T4n  V  rB n  4  rCn 


(i.h.  on  premise) 
(Provable  in  ICL) 
(Rule  (affs)) 
(Lemma  F.2.2  on  1  and  3) 

h  rCn 


1.  lFj,  A  V  B,  A  h  k  affirms  C 

2.  Lrj,4vB,Fhit  affirms  C 

3.  lFj,  A  V  B  P  k  affirms  C 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (VLaff)) 


Case. 


TR 


T 


1.  Lrj  h  t 

2.  i_rj  P  k  affirms  T 

Case.  - - - _LL 

r,±  4  rcn 


1.  i_r_i,  _L  P  k  affirms  C 


(Rule  (TR)) 
(Rule  (affs)) 


(Rule  (TLaff)) 
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Case.  Rule  (dR)  does  not  arise. 


r,r-4n  ^  rBn  4  rAn  r,rAn  d  rRn,rRn  4  rCn 

Case.  - - - DL 

r,r^in  d  rRn  4  rcn 

1.  lTj,  ^4  D  B  h  k  affirms  A 

2.  i_r_i,  ^4  D  5,  B  b  k  affirms  C 

3.  lTj,  A  D  B,  B,  A  b  k  affirms  C 

4.  lTj,  Ad  B,Ah  A 

5.  i_r_i,  A  D  B,  A  b  k  affirms  C 

6.  i_r_i,  A  D  B  h  k  affirms  C 

Proof  of  (2). 

P  atomic 

Case.  - - - init 

r,p4p 
i.  Lrj,PhP 

Reclaims  A,A-^  C  £^£ 

Case.  - - - claims 

T,  i  claims  A  —>  C 

By  regularity,  A  must  have  one  of  the  forms  k  says  rL>n,  rB in  D  rB 2n,  or  P.  It  is 
easy  to  check  that  in  each  case,  i_P  claims  ^4j  =  lAj.  Thus  we  have: 

1.  lTj,  lP  claims  Aj,  \_Aj  h  lCj  (i.h.  onpremise) 

2.  lTj,l£  claims  ^4j  h  lCj  (Strengthening;  lP  claims  Aj  =  jAj) 

r\e  4  c 

Case.  - - - saysR 

T  — >  £  says  C 

By  regularity,  £  says  C  must  have  form  rC/_l,  and  hence  C  must  have  one  of  the 
forms  k'  says  rA~1,  rAn  D  rB~l,  or  P.  In  each  case,  observe  that  the  premise  is  also 
/3-regular,  and  that  lCj  =  l£  says  Chi.  Thus  we  have 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Weakening) 
(Lemma  F.3) 
(Rule  (DLaff)  on  4  and  3) 
(Lemma  F.2  on  1  and  5) 


(Rule  (init)) 


1.  Lr|£j  l  lCj 

2.  lTj  h  lCj 

3.  lTj  h  l£  says  C j 
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(i.h.  on  premise) 
(Weakening) 
(lCj  =  lP  says  Cj) 


r|fc  rcn 

Case.  - - saysR 

r4fc  says  rCn 

Observe  that  the  premise  is  a-regular. 


1.  Lr|fcJ  b  k  affirms  C 

2.  Lr|fcj  b  k  says  C 

3.  i_rj  b  k  says  C 


(i.h.  (1)  on  premise) 
(Rule  (saysR)) 
(Weakening) 


Case. 


T,  k'  says  rAn,  k'  claims  rAn  4  C 
T,  k'  says  rAn  4  C 


saysL 


1.  lTj,  k!  says  A,  k!  says  A  b  lCj 

2.  lTj,  k'  says  A  b  lCj 


(i.h.  on  premise) 
(Strengthening) 


T,  £  says  A,  £  claims  A  — >  C 
Case.  - - - - saysL 

Y,£  says  bl  — >  C 

By  regularity,  A  must  have  one  of  the  forms  k!  says  rJ4n,  rB n  D  rBn,  or  P.  In  each 
case,  observe  that  the  premise  is  also  /3-regular,  and  that  j£  says  Aj  =  \_£  claims  Aj. 


1.  lTj,  j£  says  Aj,  l £  claims  Aj  b  lCj 

2.  lTj,  \_£  says  Aj  b  lCj 


(i.h.  on  premise) 
(Strengthening;  \_£  says  Aj  =  i_£  claims  Aj) 


Case. 


r  — >  rA~i  a  rPn 


1.  Lrj  b  a 

2.  Lrj  b  b 

3.  Lrj  b(AAB) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 


r,R4n  A  rPn,rbP,rPn  ->  c 
Case.  - - - AL 

r,P4n  a  rPn  4  c 


1.  i_r_i,  A  A  P,  A,  B  b  lCj 

2.  lTj,^4  A  B  b  lCj 


(i.h.  on  premise) 
(Rule  (AL)) 


r  ->  rAn 

Case.  - - V  Ri 

r  4  rbP  v  rPn 


l.  Lrj  b  a 


(i.h.  on  premise) 


89 


2.  I_rj  b  A  V  B 


(Rule  (V  Ri)) 


r  4  r£_l 

Case.  — - - V  R2 

r  4  v  rRn 


1.  Lrj  h  b 

(i.h.  on  premise) 

2.  i_rj  b  A  V  B 

(Rule  (V  R2)) 

r,R4n  V  r£n,rbT  4  c  r,rTVrB1,rB14c 

Case.  V  L 

r,rAT  v  rRn  4  c 

1.  i_r_i,  A  V  B,  A  b  lCj 

(i.h.  on  1st  premise) 

2.  lLj,  A  V  B,  B  b  lCj 

(i.h.  on  2nd  premise) 

3.  i_r_i,yl  V  B  b  lCj 

(Rule  (VL)) 

Case.  — - - TR 

r  4  t 

1.  JT  b  t 

(Rule  (TR)) 

Case.  - _LL 

r,i4c 

1.  JT,  _L  b  lCj 

(Rule  (_LL)) 

r,T4n  4  rBn 

Case.  — - - I)R 

r  4  rAn  d  rRn 

1.  l.Tj,a 1-  b 

(i.h.  on  premise) 

2.  l.Tj  b  A  D  B 

(Rule  (DR)) 

r,  rAn  D  rRn  4  ryF  r,  rj4n  D  rBn,  rL>n  4  c 

Case.  DL 

r,rTn  d  rRn  4  c 

1.  i_r_i,y4  D  B  b  T 

(i.h.  on  1st  premise) 

2.  lR,  A  3  b  lCj 

(i.h.  on  2nd  premise) 

3.  i_r_i,  A  D  B  b  lCj 

(Rule  (dL)) 

£ 

Theorem  F.9  (Correctness;  Theorem  5.3).  \~  A  in  ICL  if  and  only  if  ■  — >  rA~'  in  DTLq. 

Proof.  Suppose  b  A  in  ICL.  By  Lemma  F.l,  •  h  A  in  ICL’s  sequent  calculus.  Thus  by 
Lemma  F.5.1,  •  4  rAn  in  DTLo- 

t 

Conversely,  suppose  that  •  — >  rAn  in  DTLo-  By  Lemma  F.8.2,  ■  b  A  in  ICL’s  sequent 
calculus.  By  Lemma  F.l,  b  A  in  ICL’s  axiomatic  system.  □ 
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G  Proofs  from  Section  5.3 


In  this  appendix  we  prove  that  the  translation  from  UK  to  DTLo  is  both  sound  and 
complete  (Theorem  5.4).  Part  of  our  proof  uses  a  generalized  axiomatic  proof  system 
for  UK,  which  we  develop  first. 


G.l  The  Axiomatic  System  for  IIK 

In  Section  5.3,  we  listed  the  axioms  and  rules  of  IIK  that  are  specific  to  the  modality 
K  says  A.  Below  we  list  all  the  rules  and  axioms  of  IIK. 


b  A 

- nec 

b  K  says  A 


I -  Ad  B 
b  B 


b  A 

- mp 


A  is  an  axiom 


b  A 


ax 


Axioms: 


( K  says  (A  D  B))  D  {{K  says  A)  D  ( K  says  B))  (K) 

A  D  (B  D  A)  (impl) 

(Ad  B)  D  ((A  D  (B  D  C ))  D  (A  D  C))  (imp2) 

A  D  (B  D  (A  A  B))  (conjl) 

(A  A  B)  D  A  (conj2) 

(A  A  B)  D  B  (conj3) 

A  D  (A  V  B)  (disjl) 

B  D  (A  V  B)  (disj2) 

(A  D  C)  D  ((B  D  C)  D  ((A  V  B)  D  C))  (disj3) 

T  (true) 

13  A  (false) 


Next,  we  generalize  the  axiomatic  system,  adding  hypothetical  reasoning,  as  we  did 
for  the  axiomatic  system  of  DTLo  (Appendix  C).  We  write  T  bG  A  to  mean  that  A 
follows  from  the  formulas  in  T.  The  rules  of  deduction  are: 


•  he  A 

- use  - nec 

f,  A  bg  A  r  bG  K  says  A 


r  bG  A  D  B 

r  b6.  b 


rbG  a 

- mp 


A  is  an  axiom 
- ax 

rbG  a 

As  for  DTLo,  we  prove  some  elementary  properties  for  the  generalized  system  of  IIK, 
and  show  also  that  the  generalized  system  and  axiomatic  system  are  equivalent. 

Lemma  G.l  (Basic  properties).  The  following  hold. 

1.  (Weakening)  T  bG  A  implies  r,r'  bG  A 

2.  (Substitution)  T  bG  A  and  T,  A  bG  B  imply  T  bG  B 

Proof.  Exactly  as  for  DTLo  hr  Lemma  C.l,  since  the  proof  does  not  rely  on  the  specific 
axioms  used.  □ 

Theorem  G. 2  (Deduction).  The  following  hold. 
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1.  r  he  A  D  B  implies  V.  A  \-q  B 

2.  T,  A  he  B  implies  T  b q  A  D  B 

Proof.  Exactly  as  for  DTLo  in  Theorem  C.2.  The  proof  does  not  rely  on  the  axioms  (4), 
(C),  or  (S),  which  are  the  only  axiom  present  in  DTLo  that  are  not  present  in  UK.  □ 

Theorem  G.3  (G  iff  Axiomatic),  b  A  if  and  only  if  ■  \~g  A 

Proof.  In  each  direction  by  straightforward  induction  on  the  given  derivation.  □ 


G.2  Proof  of  Soundness 

Lemma  G.4  (Soundness  of  Translation).  If\~A  in  UK,  then  for  each  K,  ■  rAn  in 
ICL ’s  axiomatic  system. 

Proof.  We  induct  on  the  derivation  of  b  A,  analyzing  cases  of  the  last  rule  in  it. 


Case. 


b  A 

- 7 - nec 

b  K  says  A 


1.  • 
2.  • 
3.  • 


K' 


d 

K 


K'  says  rA~i 
d  says  K'  says  rAn 


Case. 


b  Ad  B 
b~B 


b  A 

- rnp 


(i.h.  on  premise) 
(Rule  (saysR)) 
(Rule  (saysR)) 


1.  •  rA~l  D  rBn 


2.  ■  rAn 


3.  rB~ 


K 


4.  rAn  D  rBn  rBn 

5.  •  rRn 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Theorem  B.3) 
(Rule  (dL)  on  2  and  3) 
(Theorem  B.2  on  1  and  4) 


A  is  an  axiom 

Case.  - ax 

b  A 

We  case  analyze  all  possible  axioms  A. 

Case.  (Axiom  K)  A  =  ( K '  says  (A'  D  B '))  D  (( K '  says  A1)  D  ( K '  says  B ')) 

1.  rAn  D  rA,_l  ^  rBn  (Provable  in  DTL0) 

2.  K'  claims  {rAn  D  rBn),  K'  claims  rAn  rBn 
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(Weakening  and  rule  (claims)) 

3.  K'  claims  (rAn  D  rBn),K'  claims  r An  4  Kl  says  rBn  (Rule  (saysR)) 

4.  K’  says  {rAn  D  rRn),  K1  says  rA'n  4  AT'  says  rBn 

(Weakening  and  rule  (saysL)) 

5.  d  claims  K'  says  (rA/n  D  r-B/n),  d  claims  K’  says  rAn  4  K1  says  rRn 

(Weakening  and  rule  (claims)) 

6.  d  claims  K’  says  (rA/_l  D  r-Bn),  d  claims  K’  says  rAn  -4  d  says  K'  says  rR/_l 

(Rule  (saysR)) 

7.  d  says  K'  says  (rA/_l  D  rBn),d  says  J\'  says  rA/_l  -4  d  says  /i'  says  rBn 

(Weakening  and  rule  (saysL)) 

8.  •  -4  (d  says  K ’  says  (rA/_l  D  rB,~1))  D  ((d  says  Jy'  says  r7l/~l)  D  d  says  K'  says 

rRn)  (Rule  (DR)) 

The  remaining  cases  are  straightforward. 

□ 


G.3  Proof  of  Completeness 

Our  proof  of  completeness  needs  a  basic  lemma  about  proofs  in  DTLo-  We  also  use  this 
lemma  later  to  prove  other  translations  correct. 

Lemma  G.5  (Inversion  in  DTLo).  The  following  hold  in  the  sequent  calculus  of  DTLq. 


K'  .  K' 

1.  IfT ,  K  says  A  — >  C  then  T,  K  claims  A  — >  C  by  a  shorter  or  equal  derivation. 

2.  If  T  -4  A  A  B  then  T  -4  A  and  T  ^4  B  by  shorter  or  equal  derivations. 


Proof.  In  each  case  by  induction  on  the  given  derivations.  □ 

Next,  we  carefully  characterize  sequents  that  may  occur  in  the  proof  of  a  translated 
formula.  We  call  these  sequents  regular.  As  a  general  convention,  we  use  the  letter  k  to 
denote  principals  in  UK,  and  K  to  denote  principals  in  DTLo-  The  latter  may  either 
be  principals  from  UK,  or  d.  The  principal  £,  although  present  in  DTLo,  never  shows 
up  in  proofs  of  translated  formulas.  This  is  a  consequence  of  the  subformula  property 
of  DTLo’s  sequent  calculus. 

Definition  G.6  (Regular  Hypothesis).  Given  an  UK  principal  k,  we  call  a  hypothesis 
r  /e-regular  if  the  following  holds: 

1.  T  contains  assumptions  of  the  forms  rAn,  k  claims  rAn,  and  d  claims  k '  says  rAn 
only,  where  A  denotes  an  arbitrary  formula  in  UK.  (Note  that  the  principal  k  in 
“fc-regular”  is  the  same  as  the  principal  k  in  k  claims  rAn.) 

We  call  a  DTLo  hypothesis  T  d-regular  if  the  following  hold: 
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1.  r  contains  assumptions  of  the  forms  d  claims  k  says  rAn  and  k  claims  rA~'  only, 
where  A  denotes  an  arbitrary  formula  in  UK. 

2.  k  claims  rAn  6  F  implies  d  claims  k  says  rAn  £  F. 

Definition  G.7  (Regular  Sequent).  We  call  a  sequent  regular  if  it  has  one  of  the  fol¬ 
lowing  forms: 

k 

1.  (fc-regular)  F  — >  rA~l,  where  F  is  /c-regular. 

2.  (d- regular)  F  k  says  rA~1,  where  T  is  (/-regular. 

Next  we  define  an  inverse  translation  l-j k  from  regular  hypothesis  to  hypothesis  in 
UK’s  generalized  axiomatic  system. 

Definition  G.8  (Inverse  Translation).  The  inverse  translation  lFj{.  for  a  £:-regular 
hypothesis  T  is  defined  pointwise,  where  the  inverse  translation  for  assumptions  is: 

=  A 

\_k  claims  r A^j^  =  A 

l(Z  claims  k'  says  r^4n_ifc  =  k'  says  A 

The  inverse  translation  lTj^  for  a  (/-regular  hypothesis  T  is  defined  pointwise,  where  the 
inverse  translation  for  assumptions  is: 

l(Z  claims  k  says  rA~'jd  =  k  says  A 
l k  claims  r A^jd  =  ■  (Empty) 

Lemma  G.9  (Completeness  of  Translation).  The  following  hold: 
k 

1.  If  r  — >  rAn  is  k-regular  and  provable  in  DTLq,  then  i_r_ifc  he  A  is  provable  in 
UK's  generalized  axiomatic  system. 

2.  I/ri  k  says  rAn  is  d-regular  and  provable  in  DTLq,  then  i_r_id  \~g  k  says  A  is 
provable  in  UK's  generalized  axiomatic  system. 

Proof.  We  prove  both  statements  simultaneously  by  induction  on  the  depths  of  the  given 
derivations.  In  each  case,  we  analyze  the  last  rule  in  the  derivation. 

Proof  of  (1). 

P  atomic 

Case.  - - - init 

r,p  p 

i.  i_r_ifc,  p  \~g  p 

T,k  claims  kPk 

Case.  - - - claims 

r,  k  claims  rAn  4  rRn 

i.  i_r_ifc,  a,a\-gb 


(Rule  (use)) 


(i.h.  on  premise) 
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2.  I_r_ifc,  A\~g  A 

3.  Lrjfc, A\~g  B 


(Rule  (use)) 
(Lemma  G.1.2  on  2  and  1) 


r|d  4  A'  says  rhT 

Case.  — - - saysR 

T  — >  d  says  k1  says  rA~l 

By  A-regularity  of  T,  r|d  must  have  the  form  d  claims  k\  says  rA?in, . . . ,  d  claims 
kn  says  rBn 1.  Clearly,  T|d  is  d-regular.  Hence  the  premise  is  d-regular. 


1.  L.T\djd  \~G  k’  says  A 

2.  Lr|rfjd  c  LrJfc 

3.  Lfjfc  \~g  A'  says  A 


(i.h.  (2)  on  premise) 
(Defn.) 

(Lemma  G.1.1  on  1  using  2) 


Case. 


T,  d  says  k!  says  rA~ \  d  claims  k’  says  rAn  rC~l 

- - - saysL 

r,  d  says  k'  says  rAn  — >  rCn 


1.  i_r_ifc,  A/  says  k!  says  H  he  C 

2.  Lrjfc,  A'  says  H  he  A'  says  A 

3.  LrJfc,  k!  says  A\~g  C 

r^rR  r  4  rRn 

Case.  - - - AR 

r  4  rhP  a  rRn 

1.  i_r_i*  he  ^4 

2.  i_r_ifc  \~g  b 

3.  LrJfc  l~c  A  D  (R  D  (H  A  -£>)) 

4.  Lrjfc  he  B  D  (A  A  B) 

5.  i_r_ifc  he  A  A  B 

r,  A  rRn,  rhT,  rRn  4  rCn 
Case.  - - - AL 

r,rHn  A  rRn  4  rcn 

1.  lLj/j,  A  a  R,  H,  B  he  C 

2.  LrJfc,  A  A  B  he  A  A  B 

3.  LrJA;,  A  A  B  he  (^4  A  B )  D  H 

4.  LrJA;,  A  A  B  he  .A 

5.  Lrjfc,  A  A  B  he  (A  A  B )  D  B 


(i.h.  on  premise) 
(Rule  (use)) 
(Lemma  G.1.2  on  2  and  1) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (ax)  and  (conjl)) 
(Rule  (mp)  on  3  and  1) 
(Rule  (nip)  on  4  and  2) 


(i.h.  on  premise) 
(Rule  (use)) 
(Rule  (ax)  and  (conj2)) 
(Rule  (mp)  on  3  and  2) 
(Rule  (ax)  and  (conj3)) 
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6.  Lrjfc,  A  A  B  be  B 

7.  i_Tjk,  A  A  B ,  B  b q  C 

8.  LrJA;,  A  A  B  b q  C 

r  4  rAn 

Case.  — - - V  Ri 

rirAnV  rBn 

1.  Lrjfc  b G  A 

2.  b q  A  D  (A  V  B) 

3.  Lrjfc  b q  A  V  B 

r  4  rBn 

Case.  - V  R9 

r  4  rAn  V  rBn 

1.  Lrjfc  be  B 

2.  Lrjfc  be  B  D  (A  V  B) 

3.  Lrjfc  be  A  V  B 


(Rule  (mp)  on  5  and  2) 
(Lemma  G.1.2  on  4  and  1) 
(Lemma  G.1.2  on  6  and  7) 

(i.h.  on  premise) 
(Rule  (ax)  and  (disjl)) 
(Rule  (mp)  on  2  and  1) 

(i.h.  on  premise) 
(Rule  (ax)  and  (disj2) ) 
(Rule  (mp)  on  2  and  1) 


Case. 


r,  or  v  rBn,  rbT  4  rcn  r,  rAn  v  rBn,  rBn  4  rcn 

— - - - - - - - VL 

T,rAn  V  rBn  -A  rCn 


1.  Lrjfc,4VB,4bcC 

2.  Lrjfc,  A  V  B,  B  be  C 

3.  LTjfc,  A  V  B  be  AlC 

4.  Lrjfc,  A  \/  B  be  BdC 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Theorem  G.2  on  1) 
(Theorem  G.2  on  2) 


5.  LTjfc,  A  V  B  be  (A  D  C)  D  ((B  D  C)  D  ((A  V  B)  D  C))  (Rule  (ax)  and  (disj3) ) 

6.  LTjfc,  A  V  B  be  (B  D  C)  D  ((.A  V  B)  D  C)  (Rule  (mp)  on  5  and  3) 

7.  LTjfc,  A  V  B  be  (A  V  B)  D  C  (Rule  (mp)  on  6  and  4) 

8.  Lrjfc,  A  V  B,  A  V  B  be  C  (Theorem  G.2  on  7) 

9.  LLfc.AvBbeAvB  (Rule  (use)) 

10.  LTjfc,  A  V  B  be  C  (Lemma  G.1.2  on  9  and  8) 

Case.  — - - TR 


1.  LTjfc  bG  T 


(Rule  (ax)  and  (true)) 
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Case. 


-_LL 


r,±  rcn 

1.  i_r_ifc hgiDC 

2.  Lrjfc,  -LI-  G  c 


r  a  rA~l  d  rRn 

1.  Lrjfc,  alg5 

2.  LTjfc  he  Ad  B 


Case. 


T,T4n  D  rR" 


‘AT 


r,rAn  D  rB^,rB~ 


~Cn 


(Rule  (ax)  and  (false)) 
(Theorem  G.2) 


(i.h.  on  premise) 
(Theorem  G.2) 


OL 


T,rAT  D  rB~ 


1.  LTjfc,  A  D  -B  hG  A 

2.  Tjfc,  A  D  hG  C 

3.  LTjfc,  Ad  B  he  Ad  B 

4.  LTjfc,  A  D  B  B 

5.  lTj/;,  Ad  B  T  q  C 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (use)) 
(Rule  (nip)  on  3  and  1) 
(Lemma  G.1.2  on  4  and  2) 


Proof  of  (2). 

T,  d  claims  k'  says  rLC,  k'  says  rB~'  k  says  rAn 
T,  d  claims  k '  says  rB~]  —>  k  says  r A n 


d'D  d 

- claims 


1.  T,  d  claims  k'  says  rB~'1  k!  claims  rLP  -i-  fc  says  rAP  (Lemma  G.5.1  on  premise) 

2.  LTJ(i,  k!  says  f?  he  k  says  Al  (i.h.  on  1;  the  sequent  in  1  is  d-regular) 

T|fc  4  rA~l 

Case.  - - - saysR 

T  4  jfe  says  rAn 

By  d-regularity,  T|fc  must  have  the  form  k  claims  rB\~1,...,k  claims  rBn~' ,  where 
d  claims  k  says  rL>?;n  £  T.  Clearly,  the  premise  is  /c-regular. 

1.  B\, ... ,  Bn  \~g  A  (i.h.  (1)  on  premise) 

2.  •  he  (B±  A  ...  A  Bn )  D  A  (Theorem  G.2) 

3.  •  he  k  says  ((L?i  A  ...  A  Rn)  D  Al)  (Rule  (nec)) 

4.  •  he  (fc  says  B\  A  . . .  A  k  says  Bn)  D  k  says  A  (Rule  (ax),  (K),  and  rule  (nip)) 
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5.  k  says  B i, . . . ,  k  says  Bn  \~g  k  says  A  (Theorem  G.2) 

6.  {k  says  B\,...,k  says  Bn}  C  lTj^  (Defn.;  d  claims  k  says  rB jn  E  T) 

7.  LrJ(i  he  A:  says  A  (Lemma  G.1.1  on  5  using  6) 

□ 

i 

Theorem  G.10  (Correctness;  Theorem  5.4).  h  A  in  UK  if  and  only  if  •  — >  rA~'  in 
DTL0. 

n 

Proof.  Suppose  h  A  in  UK.  Then  by  Lemma  G.4,  •  — >  rA~>. 

£ 

Conversely,  suppose  that  •  — >  rA~1.  Pick  any  principal  k  in  UK.  By  Theorem  B.l, 

k 

■  — >  rA~'.  Using  Lemma  G.9.1,  we  get  •  \~g  A  in  UK’s  generalized  axiomatic  system. 
Finally,  using  Theorem  G.3,  we  have  h  A  in  UK.  □ 


H  Proofs  from  Section  5.4 


In  this  appendix  we  prove  that  the  translation  from  SL  to  DTLo  is  correct  (Theorem  5.5). 
First  we  prove  a  lemma  about  proofs  in  SL  that  is  needed  to  establish  the  theorem. 

Lemma  H.l  (Basic  properties  of  SL).  The  following  hold  for  the  inference  system  of 
SL. 

1.  (Weakening)  If  A  Hr  G  then  A,  A  hr  G. 

2.  (Substitution)  If  A  hp  P  and  A,  P  hr  G  then  A  hr  G. 

Proof.  (1)  follows  by  an  induction  on  the  derivation  of  A  bp  G.  (2)  follows  by  an  in¬ 
duction  on  the  derivation  of  A,  P  hp  G.  We  show  below  the  cases  in  this  proof. 


Case. 


{P’  <-  Gi, . . . ,  Gn)  E  A,  P  (A,  P  hr  Gi),e{1„„|W} 
A,  P  hp  P’ 


1.  (P1  <—  Gi, . . . ,  Gn)  E  A 

2.  (A  hp  Gi)ie{ i,...,n| 

3.  A  hp  P’ 


be  (Non-principal  case) 

(From  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (be)  on  1  and  2) 


P  E  A,  P  (No  other  premise) 

Case.  - be  (Principal  Case) 

A,Php  P  V  ' 


1.  A  hp  P 

(K1  :A')er  A'  hp  P’ 

Case.  - 7 - 7 - says 

A,  P  hp  K  says  P 

1.  A  hp  K'  says  P' 


(Given  assumption) 


(Rule  (says)  on  the  two  premises) 


□ 
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H.l  Proof  of  Soundness 

Now  we  prove  soundness  of  the  translation. 

Lemma  H.2  (Soundness  of  Translation).  Suppose  (AT  :  A)  £  T.  Then  A  hr  G  in  SL 
implies  that  rTn,rAn  rGn  in  DTLq. 

Proof.  We  induct  on  the  derivation  of  A  bp  G,  and  case  analyze  its  last  rule. 


„  (P  *— G\, . . .  ,Gn)  £  A  (A  bp  n}. 

Case.  - - - Lbc 


A  br  P 

1.  ((rGin  A  ...  A  rGnn)  3P)£  rAn 

2.  rrn,rAn  K  rGin 

3.  rTn,  rAn  K  rGin  A  ...  A  rGnn 

4.  rrn,rAn,p  p 

5.  rrn,rAn  p 

(A'  :  A')  G  r  A'  br  P 

Case.  - — - 777 - 77 - says 


(Assumption  (P  <—  G\, . . . ,  Gn)  G  A) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 
(Rule  (init)) 
(Rule  (dL)  on  3  and  4  using  1) 


A  br  K'  says  P 


Let  T  =  ( K%  :  Aj)ig|lj  mj,  where  each  A,;  =  B\ti, . . . ,  Bniii.  Then  rrn  =  (JL  says 
Aj  says  rPiijn, . . .  ,£  says  Ab  says  rPni,in)ie{ Further  assume  that  A''  =  Kt  (where 
t  G  {1, . . . ,  m}),  so  that  A'  =  . . . ,  Bntjt. 

1.  (£  says  ATj  says  rPMn, . . .  ,£  says  Kl  says  rPni,in)ie{i1...,m},  •  • •  ,rPnt,tn  ^ 

P  (i.h.  on  premise) 


2.  (£  claims  K{  says  rPi,jn, . .  .,£  claims  Kt  says  rBnuin)ie{1^m},rBu'1, . . .  ,r  BnuP  — 

P  (Lemma  G.5.1) 

Kt 

3.  {£  claims  Ab  says  rPi,in,  ...,£  claims  K%  says  rPni,i~l)ie{i....,m}  — >  P 

(Weakening,  Rules  (claims),  (saysL)  and  (claims)) 

£ 

4.  (£  claims  A'*  says  rPi,jn, . ..  ,£  claims  Kj  says  rPni,i~l)ie{i....,m}  “ >  A "t  says  P 

(Rule  (saysR)) 

5.  (■£  claims  Ab  says  rPi>j~l, . . .  ,£  claims  Ab  says  rBniif[)ies x  ,  A  ^  says  Ab  says 

P  (Rule  (saysR) ) 

6.  (£  says  A,:  says  rBhin, . . .  ,£  says  Ab  says  rPni,jn)ie{i,...,m},  A  K  £  says  At  says  P 

(Weakening  and  Rule  (saysL)) 


□ 
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H.2  Proof  of  Completeness 

To  prove  completeness  of  the  translation,  we  carefully  characterize  DTLo  sequents  that 
may  occur  in  the  proof  of  a  translated  Soutei  query.  We  call  these  sequents  regular 
sequents.  As  a  general  convention,  we  use  the  letter  k  to  denote  principals  in  SL,  and 
the  letter  K  to  denote  principals  in  DTLo-  The  latter  may  either  be  principals  from 
SL,  or  i.  In  addition  to  T,  we  also  use  the  letter  to  denote  DTLo  hypothesis.  (The 
categorical  judgments  allowed  in  the  hypothesis  denoted  by  the  symbols  T  and  $  differ, 
as  described  below.) 

Definition  H.3  (Regular  Hypothesis).  A  DTLo  hypothesis  T  is  called  0-regular  if  the 
following  hold: 

1.  All  assumptions  in  T  have  the  form  t  claims  k  says  rAn  or  k  claims  A,  where  A 
denotes  an  arbitrary  SL  clause. 

2.  k  claims  rAn  G  T  implies  I  claims  k  says  rAn  G  T 

If  k  is  a  principal  in  SL,  we  call  the  DTLo  hypothesis  T,  $  fc-regular  if  the  following  hold: 

1.  r  is  a  0-regular  hypothesis. 

2.  All  assumptions  in  $  have  the  form  P  or  rA~1,  where  P  denotes  an  arbitrary  atomic 
formula,  and  A  denotes  an  arbitrary  SL  clause. 

3.  rA~l  G  $  and  A  /  P  implies  k  claims  rAn  G  T. 

Definition  H.4  (Regular  Sequents).  We  call  a  DTLo  sequent  a-regular,  if  it  has  the 
k 

form  T,  $  — >  rGn,  where  T,  is  a  fc-regular  hypothesis,  and  G  is  an  SL  goal. 

£ 

A  DTLo  sequent  is  called  /3-regular  if  it  has  the  form  T  — >  k  says  P,  where  T  is  a 
0-regular  hypothesis. 

Next  we  define  an  inverse  translation  l-j  from  regular  hypothesis  to  hypothesis  and 
assertions  of  SL. 

Definition  H.5  (Inverse  Translation).  If  T  is  0-regular  then  we  define  the  SL  hypothesis 
lTj  as  follows: 


lTj  =  {k  :  {A  |  I  claims  k  says  rAn  G  T}  |  k  G  SL} 

Similarly,  if  T,  $  is  L-regular,  we  define  the  SL  assertion  lT,  Tj*,  as  follows: 

lT,  Tjfc  =  {A  |  £  claims  k  says  rAn  G  T}  U  {P  \  P  G  <L} 

We  now  prove  completeness  of  the  translation. 

Lemma  H.6  (Completeness  of  Translation).  The  following  hold: 

k 

1.  (a-regular)  IfT,  $  — >  rG~l  is  a-regular  and  provable  in  DTLo,  then  lT,  Tj*,  bLrj  G 
in  SL. 

2.  (f3 -regular)  IfT  — >  k  says  P  is  (3 -regular  and  provable  in  DTLo,  then  ■  hLrj  k  says  P 
in  SL. 
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Proof.  We  prove  both  statements  simultaneously  by  induction  on  the  depths  of  the  given 
derivations  in  DTLo.  We  remind  the  reader  that  A  denotes  a  clause  from  SL,  not  a  DTLo 
formula.  We  analyze  cases  on  the  last  rule  in  the  given  derivation. 


Proof  of  (1). 


P  atomic 

Case.  - init 

r  ,($,p)±>p 

Observe  that  by  definition,  P  e  i_r,  (4>,  P)_ i*.. 

1.  Lr,  (4>,  P) bLr_,  P  (Rule  (be)) 

{T,k  claims  rAn),  ($,  rAn)  4  rGn  k  h  k 
Case.  - claims 

(T,k  claims  r,4n),4>  4  rGn 
Note  that  the  premise  is  a-regular. 


1.  L(r,  k  claims  r-A_1),  ($,  rA~i)  Jfc  b  Lr  ,fcclaimsrAnj  G  (i.h.  on  premise) 

2.  l(I\  k  claims  rAn),  ($,  rA~')jk  =  l(I\  k  claims  ryT),  _ifc  (Defn.) 

3.  L(r,fc  claims  ry4"'),$jfe  G  (1,2) 

(r,  £  claims  k'  says  rA^),k'  says  4  rGn  iPk 

Case.  - - - claims 

(r, i  claims  k'  says  rAn),4>  4  rGn 


1.  (r,f  claims  k!  says  rA~t,  k!  claims  r^4n),  $  — >  rG~l  (Lemma  G.5.1  on  premise) 

2.  L(r,f  claims  k  says  A  ,  fc  claims  A  ),cL-lfc  b jy&laimsfc'saysrA-1  ,fc,claimsrA_lj  G 

(i.h.  on  1;  the  sequent  in  1  is  a-regular) 

3.  i_(r,  l  claims  k'  says  rA~l,  k!  claims  rAn),  Tj*,  =  e(T,£  claims  k!  says  rAn),  To*, 

(Defn.) 

4.  Lr,  £  claims  k!  says  rAn,  k'  claims  r^4nj  =  lI\  £  claims  k!  says  rA~l_i  (Defn.) 

5.  L(r,  t  claims  k!  says  rAn),  bLr/daimsA,/saysrAnJ  G  (2,  3,  4) 


Case. 


k'  says  P 


T,  <f>  — >  £  says  k'  says  P 


saysR 


Note  that  the  premise  is  /3-regular. 


1-  •  Kri/j  k'  saYs  p 

2.  Lr|^j  =  Lr j 


3.  •  bLr_,  k!  says  P 
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(i.h.  (2)  on  the  premise) 
(Defn.) 
(1,2) 


4.  lI\  hLrj  k!  says  P 


(Lemma  H.1.1  on  3) 


r,  ($,  (rGP, rGn 1)  3P)A  rGln  A  .  .  .  A  rGnn 


Case. 


OL 


r,(<&,(rG,r,...,rG'^)DP) 


"G"1 2 3 4 5 


1.  T ,  (<&,  (rGin, . . . ,  rGn~[)  D  P)  — >  rGi~[ 

2.  I_r,  (<L,  (rGr, . . . ,  rG^)  D  P)  Jfc  h, Lr_,  Gi 

3.  k  claims  (rGin, . . . ,  rGn~l)  D  P  G  T 

4.  t  claims  k  says  ((rGin, . . . ,  rGnn)  D  P)  G  T 

5.  P  Gi, . . . ,  Gn  €  lI\  ($,  (rGr, . . . ,  rG„^)  D  P)Jfc 

6.  Lr,  ($,  (rcr, . . . ,  rGnn)  D  P)  Jfc  hLrj  P 

7.  Lr,  ($,  (rcr, . . . ,  rG^)  D  P)  Jfc,  P  L Lr_i  G 

8.  I_r,  ($,  ,  rG^)  d  P)  Jfc  hLrj  G 

Proof  of  (2). 


(Lemma  G.5.2  on  1st  premise) 
(i.h.  on  1) 
(Defn.  of  ^-regular) 
(Defn.  of  0-regular  and  3) 
(Defn.  of  L-jfc  and  4) 
(Rule  (be)  on  5  and  2) 
(i.h.  on  2nd  premise) 
(Lemma  H.1.2  on  6  and  7) 


Case. 


/  /  t 

T,  0.  claims  k  says  ryP,  k  says  rA~]  — *  k  says  P 


l>-l 


r,f  claims  k!  says  rAn  — >  k  says  P 


-claims 


1.  T,  £  claims  k!  says  ryP,  k!  claims  rAn  — >  k  says  P 

2.  '  I- Lr!£c|aimsfc,SaysrJ4_l,fc'daimSrA-'j  &  Says  P 

3.  Lr,  f  claims  k!  says  r^4n,  k’  claims  r7Pj  =  lL,  l  claims  k!  says  rylnj 
4-  ■  bLp  ^cigjpns^/sayjr^-ij  A;  says  P 

. — 1 1  k 


(Lemma  G.5.1  on  premise) 
(i.h.  on  1) 
(Defn.) 
(2,  3) 


Case. 


P 


-saysR 


T  — »  k  says  P 

Note  that  the  premise  is  a-regular  (with  <!>  =  •). 

1.  Lr|fcjfe  bLr|fcJ  P 

2.  Lr|fcj  =  lLj 

3.  Lr|fejfe  hLrj  P 

4.  k  :  Lrjfcjfc  €  Lrj 

5.  •  hLrj  K  says  P 


(i.h.  (1)  on  premise) 
(Defn.) 
(1,2) 
(Defn.) 

(Rule  (says)  on  4  and  3) 

□ 


102 


Theorem  H.7  (Correctness;  Theorem  5.5).  Suppose  (K  :  A)  E  T.  Then  A  bp  G  in  SL 
if  and  only  if  rrn,r A”1  rG~l  in  DTLq. 

Proof.  Suppose  ( K  :  A)  E  T  and  A  hp  G  in  SL.  Then  rrn,  rAn  —>■  rGn  by  Lemma  H.2. 

Conversely,  suppose  that  ( K  :  A)  E  T  and  rrn,rAn  rGn  in  DTLo-  Let 
r  =  (Ki  :  where  each  At  =  Ag;, . . . ,  Anui.  Then  rrn  =  [£  says  Kr  says 

rAiti~1,...,£  says  Ki  says  rAniijn)jg{ 1;  mj.  Further  assume  that  K  =  Kt  (where 
t  E  {1, . . . ,  m}),  so  that  A  =  A\^,  ■  ■  ■ ,  Ant:t-  Then  we  have, 

1.  (£  says  Ki  says  rAltin,...,£  says  K,  says  rAnu~l)ie{1^my,rAht~l, . . .  ,rAnutn 

rG~l  (Assumption) 

2.  (£  claims  Kt  says  rAMn,  ■■■,£  claims  Ki  says  rAnii*‘,)ig{ir..  !m},  rAMn, . . . ,  rAntitn  — 

rGn  (Lemma  G.5.1) 

3.  (£  claims  Ki  says  rAi)jn, . . . , £  claims  Ki  says  rAniijn)jg.rli  m},  Lft  claims  rAi^n, . . . , 

Kt  claims  rAnt)t~1,  rA1^, . . . ,  rAntifn  rGn  (Weakening) 

4.  T  =  \_(£  claims  K%  says  rA\!f[, . . . , £  claims  K,  says  rAni)i_l)jgrlj claims 

rAi^n, . . . ,  /\4  claims  rAnut~] j  (Defn.) 

5.  A  =  \_(£  claims  Kt  says  rApjn, . . . ,  £  claims  K%  says  rAriijj~l)jg{1  claims 

rAX)P,  ...,Kt  claims  rAntitn,  rAiitn, . . . ,  rAnut~1  jKt  (Defn.) 

6.  A  Lp  G 

(Lemma  H.6.1  on  3  using  4  and  5  to  abbreviate;  the  sequent  in  3  is  a-regular) 

□ 


I  Proofs  from  Section  5.5 

In  this  appendix  we  prove  the  Theorems  related  to  BLo  (Section  5.5).  Many  of  these 
theorems  rely  on  the  Hilbert  style  axiomatization  for  BLo,  which  we  develop  first. 


1.1  The  Axiomatic  System  for  BL0 

In  Section  5.5,  we  presented  some  rules  and  axioms  for  the  axiomatic  system  of  BLo- 
Here,  we  list  all  the  rules  and  axioms,  including  those  listed  earlier. 


h  A 


h  K  says  A 


-nec 


h  A  D  B 


b  A 


A  is  an  axiom 


h  B 


-mp 


b  A 


-ax 


Axioms: 
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(K  says  (A  D  B))  D  ((K  says  A)  D  ( K  says  B)) 

(K) 

(K  says  A)  D  K'  says  K  says  A 

(Bind) 

K  says  {{K  says  A)  D  A) 

(C) 

Ad  (B  d  A) 

(irnpl) 

(A  D  B)  D  ((A  D  (B  D  C))  D  (A  D  C)) 

(imp2) 

A  D  (B  D  (A  A  B)) 

(conjl) 

(A  A  B)  D  A 

(conj2) 

(AAB)DB 

(conj3) 

Ad  (A  v  B) 

(disjl) 

Bd(AVB) 

(disj2) 

(A  D  C)  D  (( B  D  C)  D  ((A  V  B)  D  C)) 

(disj3) 

T 

(true) 

IDA 

(false) 

Next,  as  we  did  for  DTLo  in  Appendix  C,  we  introduce  a  generalized  axiomatic  system 
for  BLo-  Let  T  denote  a  multi  set  of  formulas  (not  judgments).  We  write  T  he  A 
to  mean  that  A  may  be  established  from  assumptions  L.  The  rules  of  the  generalized 
axiomatic  system  are: 

•  \-q  A  T  bG  A  D  B  T  \~g  A 

- use  - nec  - mp 

T,  A  \~c  A  r  hG  K  says  A  fh  GB 


A  is  an  axiom 


rbG  a 


ax 


Now  we  prove  some  basic  properties  of  the  generalized  axiomatic  system,  including 
the  deduction  theorem,  and  show  that  the  generalized  system  reduces  to  the  axiomatic 
system  when  T  is  empty. 

Lemma  1.1  (Basic  properties).  The  following  hold. 

1.  (Weakening)  T  bG  A  implies  T,  T7  bG  A 

2.  (Substitution)  T  bG  A  and  T,  A  bG  B  imply  T  bG  B 

Proof.  Exactly  as  for  DTLo  in  Lemma  C.l.  The  proof  does  not  rely  on  the  axiom  (4), 
which  is  the  only  difference  between  the  two  systems.  □ 

Theorem  1.2  (Deduction).  The  following  hold. 

1.  r  bG  A  D  B  implies  T,  A  bG  B 

2.  T,  A  \~g  B  implies  T  bG  A  D  B 

Proof.  Exactly  as  for  DTLo  in  Theorem  C.2.  The  proof  does  not  rely  on  the  axiom  (4), 
which  is  the  only  difference  between  the  two  systems.  □ 

Theorem  1.3  (G  iff  Axiomatic),  h  A  if  and  only  if  ■  bG  A 

Proof.  In  each  direction  by  straightforward  induction  on  the  given  derivation.  □ 
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1.2  Proofs  of  Theorems  5.6  and  5.7 

We  simultaneously  prove  Theorem  5.6  (Equivalence  of  sequent  calculus  and  axiomatic 
system  for  BLo),  and  Theorem  5.7  (Correctness  of  translation  from  BLo  to  DTLo).  To 
do  this  we  establish  three  lemmas. 

Lemma  1.4  (Sequent  Calculus  =>•  Axiomatic  System).  T  — >  A  in  BLq ’s  sequent  calculus 
(Figure  5)  implies  •  b^  K  says  (T  D  A)  in  BLq ’s  generalized  axiomatic  system. 

Proof.  We  induct  on  the  given  derivation  of  T  A,  and  show  some  cases  related  to 
claims  and  says.  We  freely  use  properties  such  as  Currying  in  the  axiomatic  system. 

P  atomic 

Case.  - — - init 

T,P  4A  p 

1.  •  he  (T  A  P)  D  P  (Rule  (ax)  and  (conj3)) 

2.  •  b g  K  says  ((T  A  P)  D  P)  (Rule  (nec)) 

T,  K  claims  A,  A  C 
Case.  - — - claims 

T,  K  claims  A  — >  C 

1.  •  b g  K  says  ((T  A  ( K  says  A)  A  A)  D  C )  (i.h.  on  premise) 

2.  •  b_G  ((f  A  K  says  A)jD  A)  D  (((f  A  K  says  A)  D  (A  D  (T  A  (K  says  A)  A  A)))  D 

((T  A  K  says  A)  D  (T  A  ( K  says  A)  A  A)))  (Rule  (ax)  and  (imp2)) 

3.  •  be  (K  says  ((T  A  K  says  A)  D  A))  D  (( K  says  ((T  A  K  says  A)  D  (A  D  (T  A 

( K  says  A)  A  A))))  D  K  says  ((T  A  K  says  A)  D  (r  A  ( K  says  A)  A  A))) 

(Rule  (ax),  (K),  Rule  (mp)) 

4.  •  bg  K  says  ((T  A  A"  says  A)  D  A)  (Theorem  in  G,  follows  from  (C)) 

5.  •  b g  ( K  says  ((T  A  K  says  A)  D  (A  D  (T  A  ( K  says  A)  A  A))))  D  K  says  ((T  A 

K  says  A)  D  (T  A  ( K  says  A)  A  A))  (Rule  (mp)  on  3  and  4) 

6.  •  be  (T  A  K  says  A)  3  (A  3  (T  A  ( K  says  A)  A  A))  (Currying) 

7.  •  \~g  K  says  ((T  A  K  says  A)  3  (A  3  (T  A  ( K  says  A)  A  A)))  (Rule  (nec)) 

8.  •  b g  K  says  ((T  A  K  says  A)  3  (T  A  (it'  says  A)  A  A))  (Rule  (mp)  on  5  and  7) 

9.  •  b g  (A  3  B)  3  (( B  3  C)  3  (A  3  C))  (Theorem  in  G) 

10.  •  bg  K  says  ((A  3  8)3  (( B  D  C)  D  (A  D  C)))  (Rule  (nec)) 

11.  •  be  (7b  says  (A  D  R))  D  ((/b  says  ( B  D  C))  D  A'  says  (A  D  C)) 

(Rule  (ax),  K,  rule  (mp)) 
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12.  •  he  (K  says  ((r  A  K  says  A)  D  (r  A  (A  says  A)  A  A)))  D  ((A  says  ((T  A  (A  says 

A)  A  A)  D  C))  D  A  says  ((T  A  K  says  A)  D  C))  (Instantiate  11) 

13.  •  he  ( A  says  ((r  A  ( A  says  A)  A  A)  D  C))  D  A  says  ((r  A  A'  says  A)  D  C) 

(Rule  (mp)  on  12  and  8) 

14.  •  b g  K  says  ((r  A  A  says  A)  D  C)  (Rule  (mp)  on  13  and  1) 

K 


Case. 


A 


T  A'  says  A 


saysR 


Let  T|  =  K\  says  Ai, . . . ,  Kn  says  An 
1.  •  I~g  AT  says  ((Ad  says  A\  A  ...  A  Kn  says  An)  D  A) 


(i.h.  on  premise) 


•  \~c  (AT  says  Ad  says  Ai  A  ...  A  K  says  A'n  says  An)  D  K  says  A  (Rule  (ax),  K, 
and  Rule  (mp)) 


3.  K  says  K\  says  Ai, . . . ,  AT  says  Kn  says  An  b q  K  says  A 

4.  •  bo  ( Ki  says  A,;)  D  ( K  says  A*  says  A*) 

5.  Kt  says  A*  b^  A"  says  Aj  says  A,; 

6.  Ad  says  Ai, . . . ,  Kn  says  An  b^  I\  says  A 

7.  T  bG  A"  says  A 

8.  •  bo  T  D  A  says  A 

9.  •  b g  K'  says  (r  D  A  says  A) 


(Theorem  1.2) 
(Rule  (ax)  and  (Bind)) 
(Theorem  1.2) 
(Lemma  1.1.2  on  5  and  3) 
(Lemma  1.1.1) 
(Theorem  1.2) 
(Rule  (nec)) 


Case. 


T,  K  says  A,  K  claims  A 


K' 


C 


K1 


-saysL 


T,  K  says  A  — >  C 

1.  •  be  A'  says  ((T  A  (A  says  A)  A  (A  says  A))  D  C) 

2.  •  be  (T  A  K  says  A)  D  (T  A  (A  says  A)  A  ( K  says  A)) 

3.  •  be  K'  says  ((T  A  A  says  A)  D  (T  A  (A'  says  A)  A  (A  says  A))) 

4.  •  bG  (A  D  B)  D  ((R  D  C)  D  (A  D  C)) 

5.  •  bG  K'  says  ((A  D  B)  D  ((R  D  C)  D  (A  D  C))) 

6.  •  bG  (A'  says  (A  D  R))  D  ((A'  says  (R  D  C))  D  K'  says  (A  D  C)) 

(Rule  (ax),  K,  rule  (mp)) 

7.  •  bG  (A"7  says  ((T  A  A  says  A)  D  (T  A  (A  says  A)  A  (A  says  A))))  D  ((A7  says 

((T  A  (A  says  A)  A  (A  says  A))  D  C))  D  A7  says  ((T  A  K  says  A)  3  C)) 


(i.h.  on  premise) 
(Theorem  in  G) 
(Rule  (nec)) 
(Theorem  in  G) 
(Rule  (nec)) 
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(Instantiate  6) 

8.  •  Kg  ( K 7  says  ((r  A  ( K  says  A)  A  ( K  says  A))  A  (7))  A  K'  says  ((r  A  I\  says  A)  A 

C)  (Rule  (mp)  on  7  and  3) 

9.  •  \~g  K'  says  ((r  A  K  says  R)  A  C)  (Rule  (mp)  on  8  and  1) 


□ 

Lemma  1.5  (Soundness  of  Translation).  If\~A  in  BLq,  then  for  every  K ,  ■  JR]  in 
DTLq. 

Proof.  We  induct  on  the  derivation  of  b  A,  and  case  analyze  the  last  rule. 


Case.  - 7 - nec 

b  K  says  A 

To  show:  •  £  says  K'  says  JR] . 

1.  •  JR] 

2.  ■  —>  K'  says  JR] 

3.  •  £  says  K'  says  JR] 

b  Ad  B  b  R 

Case.  - mp 

b  B 

1.  •  — >  [R]  D  [B] 

2.  •  JR] 

3.  JR],  JR]  D  IB}  ^  IB} 

4.  JR]  D  JR]  [R] 

5.  •  [R] 


(i.h.  on  premise) 
(Rule  (saysR)) 
(Rule  (saysR)) 

(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Theorem  in  DTLo) 
(Theorem  B.2  on  3  and  2) 
(Theorem  B.2  on  4  and  1) 


R  is  an  axiom 

Case.  - ax 

b  R 

To  show:  •  JR].  We  case  analyze  all  the  axioms,  showing  only  some  of  the 
important  cases  here.  The  other  cases  are  straightforward. 

Case.  (Axiom  K)  R  =  ( K '  says  (R7  D  R'))  D  (fK'  says  A!)  D  ( K '  says  R')) 

To  show:  •  (£  says  K'  says  (JR7]  D  JR7]))  A  ((£  says  K'  says  JR7])  A  {£  says 

K'  says  JR7])) 


1.  JR7]  A  JR7] ,  JR7]  JR7] 


(Theorem  B.3) 
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2.  [A'J  D  [R'J ,  [A'J ,  [R'J  IB'}  (Theorem  B.3) 

3.  [A'J  D  [R'J,  [A'J  [R'J  (Rule  (dL)) 

4.  I\'  claims  ([A']  D  [5']),  [ A ']  D  [R'J ,  K'  claims  [A'],  [A']  [Br ] 

(Weakening) 

5.  K'  claims  ([A'J  D  IB'}),K'  claims  [A']  [R'J  (Rule  (claims)  twice) 

6.  K'  says  ([A'J  D  [R'J),  AT'  claims  ([A'J  D  [R'J),  K'  says  [A'J,  AT'  claims  [A'J 

A"7  says  [R7]  (Rule  (saysR)) 

7.  K'  says  ([A'J  D  [R'J),  A'  says  [A7]  A'7  says  [R7J  (Rule  (saysL)  twice) 

8.  £  claims  K'  says  ([[A'J  D  [R'J),  A"'  says  ([A7]  D  [R'J),1?  claims  A'7  says 

[A7] ,  K'  says  [A7]  AT7  says  [R7]  (Weakening) 

9.  £  claims  K'  says  ([A7]  D  [R'J),£  claims  A'7  says  [A7]  AT7  says  [R7] 

(Rule  (claims)  twice) 

10.  £  claims  K'  says  ([A7]  D  [R'J),£  says  A'7  says  ([A7]  D  [R'J),£  claims  A7  says 

[A7] ,  H  says  K'  says  [A7]  £  says  K'  says  [R7]  (Rule  (saysR) ) 

11.  £  says  K'  says  ([A7]  D  [R7]),  l  says  A7  says  [A7]  f  says  K'  says  [R7] 

(Rule  (saysL)  twice) 

12.  ■  ^  [£  says  A'7  says  ([A7]  D  [R'J))  D  ((■£  says  K'  says  [A7])  D  (£  says  K'  says 

[R7]))  (Rule  (dR)  twice) 


Case.  (Axiom  Bind)  A  =  (A'7  says  A7)  D  K"  says  K'  says  A7 


To  show:  •  -^4  (71  says  A'7  says  [A7])  D  £  says  I\"  says  £  says  K'  says  [A7] 


1.  £  claims  K'  says  [A7],  A'7  says  [A7],  A"7  claims  [A7],  [A7]  [A7] 


is" 


2.  I  claims  K'  says  [A7],  AT7  says  [A7],  A7  claims  [A7]  — >  [A7] 


K' 


3.  I  claims  K'  says  [A7],  AT7  says  [A7]  — >  [A7] 


K' 


4.  I  claims  K'  says  [A7]  — »  [A7] 


5.  £  claims  K'  says  [A7]  —  I\'  says  [A7] 

6.  £  claims  K'  says  [A7]  >  £  says  K'  says  [A7] 

7.  £  claims  K'  says  [A7]  — ►  A'77  says  £  says  A'7  says  [A7] 

8.  £  claims  K '  says  [A'J,£  says  A'7  says  [A7]  £  says  A77  says  £  says  K'  says  [A'J 

(Rule  (saysR)) 


(Theorem  B.3) 
(Rule  (claims)) 
(Rule  (saysL)) 
(Rule  (claims)) 
(Rule  (saysR)) 
(Rule  (saysR)) 
(Rule  (saysR)) 


9.  £  says  K'  says  [A'J  £  says  A"  says  £  says  K'  says  [A'J 


10. 


if 


(t  says  K'  says  [A'J )  D  £  says  AT77  says  £  says  A"7  says 


(Rule  (saysL)) 
(Rule  (dR)) 
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Case.  (Axiom  C)  A  =  K'  says  ((A"7  says  A7)  D  A1) 

To  show:  •  £  says  K'  says  ((£  says  K'  says  [A'])  D  [A']) 


1.  £  claims  K'  says  [A'],  AT'  says  [A'],  A'7  claims  [A'J,  [A7]  [A7] 


2.  £  claims  A"7  says  [A'J,  AT7  says  [A7],  A'7  claims  [A7]  [A7] 

3.  £  claims  K'  says  [A7],  AT7  says  [A7]  [A7] 

4.  £  claims  K'  says  [A7]  —>■  [A7] 

5.  £  says  K'  says  [A7],/7  claims  K'  says  [A7]  —>■  [A7] 

6.  £  says  K'  says  [A7]  [A7] 

7.  •  (£  says  K'  says  [A7])  D  [A7] 

8.  •  —>  K'  says  ((£  says  K'  says  [A7])  D  [A'J) 

9.  ■  —>  £  says  K'  says  ((^  says  K'  says  [A7])  D  [A7]) 


(Theorem  B.3) 
(Rule  (claims)) 
(Rule  (saysL)) 
(Rule  (claims)) 
(Weakening) 
(Rule  (saysL)) 
(Rule  (DR)) 
(Rule  (saysR)) 
(Rule  (saysR)) 


□ 

Finally,  we  seek  to  show  that  whenever  [T]  [A]  in  DTLo,  it  is  the  case  that 

K 

T  — >  A  in  BLo-  To  do  this,  we  syntactically  characterize  the  sequents  that  may  occur 
in  a  proof  of  [TJ  [A].  We  call  these  sequents  regular  sequents.  We  further  categorize 
regular  sequents  into  two:  a-regular  and  /3-regular.  As  a  general  convention,  we  use 
the  lowercase  letter  k  to  denote  principals  from  BLo,  i.e. ,  principals  distinct  from  £.  By 
assumption,  such  principals  are  unrelated  to  each  other  in  the  order  y. 

Definition  1.6  (Regular  Sequents).  A  DTLo  sequent  is  called  regular  if  it  has  one  of 
the  two  forms: 

k 

1.  (a-regular)  F  — >  [A],  where  F  contains  assumptions  of  following  forms  only:  [A>], 
k  says  [R],  k  claims  [RJ,  and  £  claims  k  says  [R]. 


t 

2.  (/3-regular)  F  — >  k  says  [A],  where  F  contains  assumptions  of  the  following  forms 
only:  k  says  [R],  k  claims  [R],  and  £  claims  k  says  [R], 

Note  that  the  difference  between  the  hypothesis  allowed  in  a-regular  and  /3-regular 
sequents  is  that  the  former  may  contain  assumptions  of  the  form  [R]  whereas  the  latter 
may  not. 


Next,  we  define  an  inverse  translation  from  hypothesis  of  regular  sequents  to  BLo- 
We  denote  the  translation  using  the  notation  i_-_i. 


Definition  1.7  (Inverse  Translation) .  The  inverse  translation  for  regular  hypothesis  lTj 
is  defined  pointwise  on  the  assumptions,  where  the  inverse  translation  of  assumptions  is 
defined  as  follows: 


c[AJo 

l k  says  [A]  j 
l k  claims  [A]j 
\_£  claims  k  says  [A]j 


A 

k  claims  A 
k  claims  A 
k  claims  A 
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Lemma  1.8  (Completeness  of  Translation).  The  following  hold. 

1.  IfT  —>■  [A]  is  a-regular  and  provable  in  DTLq,  then  lIT  —>  A  is  provable  in  BLq. 

I  k 

2.  IfT ->  k  says  [A]  is  /3-regular  and  provable  in  DTLq,  then  lTj  — >  A  is  provable  in 

BL0. 

Proof.  We  simultaneously  prove  the  two  clauses  of  the  Lemma  by  induction  on  the 
derivations  of  the  given  regular  sequents.  For  each  clause,  we  analyze  cases  of  the  last 
rule  in  the  derivation.  We  assume  that  weakening  and  strengthening  for  hypothesis 
holds  in  BLq.  These  may  be  established  easily  by  induction  on  derivations. 


Proof  of  (1). 

P  atomic 

Case.  - - - init 

T,  {P}  ->  IP} 

1.  lTj,p4p 

T,  k  claims  [A],  [A]  [C]  kAk 

Case.  - - - claims 

T,  k  claims  [A]  — ■>  [C] 

1.  lTj,  k  claims  A,  A  — C 

2.  lTj,  k  claims  A  —>  C 

T,  I  claims  k'  says  [A],  k'  says  [A]  [C]  iPk 

Case.  - - - claims 

T,£  claims  k!  says  [A]  — >  [C] 


(Rule  (init)) 


(i.h.  on  premise) 
(Rule  (claims)) 


1.  lTj,  k'  claims  A,  k!  claims  A  —>  C 

2.  lTj,  k'  claims  A  C 


(i.h.  on  premise) 
(Strengthening) 


Case. 


iy 

k  „ 


■  k 


says  M 


-Q3\/qR 


By  definition,  I  says  kl  says  [A]  =  [A:'  says  AJ.  Therefore  we  need  to  show  that 
k 

lTj  — >  k  says  A.  Assume  that  r|^  =  £  claims  k\  says  [Ai],  ...,£  claims  kn  says  [AnJ. 
Note  that  lTj  D  k\  claims  A\, . . . ,  kn  claims  An. 


k' 

1.  ki  claims  A\, . . .  ,kn  claims  An  — >  A 

k 

2.  ki  claims  Ai, . . . ,  kn  claims  An  — >  k  says  A 

3.  lTj  4  k!  says  A 
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(i.h.  (2)  on  premise) 
(Rule  (saysR)) 
(Weakening) 


Note  that  the  application  of  (saysR)  in  step  2  is  allowed  in  BLo,  but  not  in  DTLo- 

T,  k'  says  [A],kl  claims  {A}  [C] 

Case.  - - - saysL 

F  ,k'  says  [A]  ->  [C] 


1.  lFj,  k'  claims  A,  k'  claims  A  —>  C 

2.  i_r_i,  k!  claims  A^A  C 


(i.h.  on  premise) 
(Strengthening) 


Case. 


T, i  says  k'  says  \A\,t  claims  k'  says  [AL]  [C] 
T,£  says  k'  says  [A]  [C] 


saysL 


1.  lTj,  k!  says  A,  k!  claims  A  — >  C 

2.  lTj,  k!  says  A  —>  C 


(i.h.  on  premise) 
(Rule  (saysL)) 


Case. 


m 


AR 


[A]  A  [RJ 


1.  Lrj  4  a 

2.  lIL  4  b 

3.  lL^AaB 

Case  r,M  A[RI,M,[R]4[C]  AL 

r,  [A]  a  [B]  4  [c] 

1.  lLj,  a  a  b,a,b  -^c 

2.  lLj,  Al  A  B  4  c 

r  4  [A] 

Case.  — - — - VRi 

r  [A]  V  [R] 

1.  lIj  4  A 

2.  Jj-^AVR 

r  [Rl 

Case.  — - - V  R2 

r-[A]v  [R] 

1.  lIL  4  r 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 


(i.h.  on  premise) 
(Rule  (AL)) 


(i.h.  on  premise) 
(Rule  (V  Ri)) 


(i.h.  on  premise) 
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2.  Lrj-^iVB 


(Rule  (V  R2)) 


r,  [A]  V  [S] ,  {A}  4  [C]  r,  {A}  V  [SI ,  [B]  4  [C\ 
Case.  - - - V  L 

r,  [-4]  v  [B]  4  [C] 


1.  Lrj,ivB,A4c 

2.  I_rj,,4  V  S,S  4  C 


(i.h 

(i.h. 


3.  Lrj,^ v b^c 


Case. 


r  4  t 


-TR 


1.  ax  -x  t 

Case.  - - — 


i\xA[c] 


-XL 


1.  Lrj,x  c 


Case.  dR 


m  d  m 


1.  l_Tj,a  b 


2.  lTj  —>  A  D  B 


Case. 


r,  m  3  m  ±  {A}  r,  M  D  [SI,  [S]  4 
r,  \A}  d  [s]  4  [c] 


dl 


1.  lTj,  j4  D  B  -A  A 

2.  lTj, A  D  S,6ic 


(i.h 

(i.h. 


3.  i_r_i,  A  D  S  C 


Proof  of  (2). 


Case. 


T,  f  claims  k'  says  [ylj,  k'  says  [.A]  — >  k  says  [C]  ft  X  t 
T,i  claims  k'  says  [A]  k  says  [C] 


claims 


1.  Lrj,  k'  claims  A,  k!  claims  yl  — »  C 


.  on  1st  premise) 
on  2nd  premise) 
(Rule  (VL)) 

(Rule  (TR)) 

(Rule  (XL)) 

(i.h.  on  premise) 
(Rule  (DR)) 

.  on  1st  premise) 
on  2nd  premise) 
(Rule  (dL)) 


(i.h.  on  premise) 
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(Strengthening) 


2.  i_r_i,  k'  claims  A  — >  C 

V. 


Case. 


i.  i_r| 


saysR 


2.  Lrj  a 


T,  k'  says  [A],  k'  claims  [A]  k  says  [C] 
Case.  - - - saysL 

T,  k'  says  [A]  — >  k  says  [C] 

1.  Jj,  k'  claims  A.  k'  claims  A  C 

2.  Jj,  k!  claims  A  —>  C 


(i.h.  (1)  on  premise) 
(Weakening) 


(i.h.  on  premise) 
(Strengthening) 


No  other  cases  apply. 


□ 


We  now  prove  Theorems  5.6  and  5.7. 

Theorem  1.9  (Equivalence;  Theorem  5.6).  •  A  in  BLq ’s  sequent  calculus  if  and  only 
if  h  K  says  A  in  BLq ’s  axiomatic  system. 

Proof.  Suppose  •  A  in  BLo’s  sequent  calculus.  By  Lemma  1.4,  •  he  K  says  (T  D  A) 
in  BLo’s  generalized  axiomatic  system.  By  Theorem  1.3,  h  I\  says  (T  Di).  Now,  as  in 
the  proof  of  Corollary  C.10,  this  implies  h  K  says  A. 

Conversely,  suppose  that  h  K  says  A  in  BLo’s  axiomatic  system.  By  Lemma  1.5, 

t 

■  — >  l  says  I\  says  [.A]  in  DTLo-  There  is  only  one  rule  that  can  applied  to  derive  this: 

t 

(saysR).  Hence,  •  — ►  K  says  [A],  Again,  only  the  rule  (saysR)  can  derive  this.  Thus 
K  K 

■  — >  [A],  Now  by  Lemma  1.8.1,  •  — >  A  in  BLo’s  sequent  calculus.  □ 

Theorem  1.10  (Correctness;  Theorem  5.7).  T  A  in  BLq’s  sequent  calculus  if  and 
only  if  [r]  —y  [AJ  in  DTLq’s  sequent  calculus. 

Proof.  Suppose  T  A  in  BLq’s  sequent  calculus.  Let  T  =  Ai, . . . ,  An.  Then, 


1.  •  \~c  K  says  (L  D  A) 

2.  h  K  says  (T  D  A) 

3.  •  l  says  I\  says  ([T]  D  [A]) 

4.  •  — *  [r]  D  [A] 

5.  •  ^  ([AiJ  A  ...  A  [An])  D  [A] 

6-  [Ai], . . . ,  [An],  ([Ai]  A  ...  A  [An])  D  [A]  >  [A] 


(Lemma  1.4) 
(Theorem  1.3) 

(Lemma  1.5) 
(Inversion) 
(Definitions) 
(Basic  reasoning) 
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(A  atomic) 

- init 

T,A\~  A 

r  h  a  r  h  b 

- AR 

ri-iAB 

r  h  a  r  i -  b 


or  h  a 


□r,r'  h  da 

r,A  a  b,a\-  c 
t,aab\-c 


□r 


r, DA, Ah  c 


□L 


A  L  i 


r.Dvihc 

r,  A  A  B,  B  h  C 
r,  A  A  B  h  c 


A  L2 


r  h  A  V  B 


V  Ri 


rhAVB 
-TR 


V  R2 


T,A\~B 
T  h  A  D  B 


r  h  t 


dR 


r,  A  V  B,  A  h  C  Y,AVB,B\~C 
T,A  V  5  b  C 

-_LL 


VL 


r,ih  c~ 

T,ADBhA  V,  A  D  B,  B  \~  C 


T,A  d  Bh  C 


OL 


Figure  7:  Cut-free  Sequent  Calculus  for  CS4  (Taken  from  [13]) 

7.  [AiJ,  ■  ■  ■  >  [AnJ  — [A]  i.e.  [r]  [A]  (Theorem  B.2  on  5  and  6) 

Conversely,  suppose  [T]  [A],  By  Lemma  1.8.1,  l[T]j  l[A]_i.  But  by  defini¬ 
tion,  l[T]j  =  T  and  l[A]j  =  A.  Therefore,  T  A.  □ 

1.3  Proof  of  Theorem  5.9 

In  this  section  we  show  that  the  translation  from  BLo  to  CS4  is  sound  and  complete 
(Theorem  5.9).  We  use  a  sequent  calculus  for  CS4,  shown  in  Figure  7.  F  denotes  a  set 
of  formulas  in  CS4,  and  Dr  denotes  a  set  of  formulas  of  the  form  DA.  This  sequent 
calculus  is  the  0-free  fragment  of  a  sequent  calculus  described  by  Bierman  et  al  [13], 
with  only  the  difference  that  we  restrict  initial  sequents  (Rule  (init))  to  atomic  formulas. 
However,  we  show  (Lemma  1.11  below)  that  this  restricted  sequent  calculus  admits  the 
general  (init)  rule;  hence  the  two  formulations  of  the  sequent  calculus  are  equivalent. 
Our  version  reduces  the  technical  difficulty  of  proving  completeness  of  the  translation.  It 
is  shown  in  Bierman  et  al’s  paper  that  the  sequent  calculus  is  equivalent  to  the  axiomatic 
formulation  described  in  Section  5.1,  that  it  admits  weakening  and  the  cut  rule,  and  that 
it  has  the  subformula  property. 

Lemma  1. 11  (Identity).  For  each  CS4  formula  A,  it  is  the  case  that  T,  A  h  A. 

Proof.  By  induction  on  A.  We  case  analyze  the  top  constructor  in  A.  Most  cases  work 
as  in  the  proof  of  Theorem  B.3.  The  case  A  =  OB  is  new,  and  the  case  A  =  A\  A  A2 
is  different,  because  in  CS4’s  sequent  calculus  we  use  two  left  rules  for  A,  whereas  in 
DTLo’s  sequent  calculus  there  is  one  left  rule  for  A.  We  show  these  two  cases  below. 

Case.  A  =  OB.  Let  T  =  Dr',  T" 

1.  Dr',  OB,  B\~  B  (i.h.  on  B) 
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2.  nr',  OB  b  b 

3.  □r',r",nB  b  □  b 

Case.  A  =  A\  A  A2 

1.  r,  Ai  A  A2,  Ai  b  A\ 

2.  T,Ai  A  A2  b 

3.  r,  Al  A  j42,  ^2  1“  bl2 

4.  r,Ai  A  A2  b  a2 

5.  r,  Ai  A  A2  b  Ai  A  A2 


(Rule  (QL)) 
(Rule  (DR)) 

(i.h.  on  A\) 
(Rule  (A  Li)) 
(i.h.  on  A2) 
(Rule  (A  L2)) 
(Rule  (A  R)  on  2  and  4) 
□ 


Restricting  initial  sequents  to  atomic  formulas  allows  us  to  prove  the  following  in¬ 
version  theorem,  which  helps  us  simplify  the  completeness  proof.  We  can  also  prove 
completeness  without  this  theorem,  but  we  would  have  to  consider  many  more  cases. 

Lemma  1.12  (Inversion  in  CS4).  If  there  is  a  derivation  ofT\~ADB  in  CS4 ’s  sequent 
calculus,  then  there  is  a  shorter  or  equal  derivation  ofT,A  b  B. 

Proof.  We  induct  on  the  given  derivation  of  T  b  A  D  B,  analyzing  cases  on  the  last 
rule.  We  do  not  explicitly  prove  that  the  constructed  derivations  are  shorter  or  equal; 
the  reader  may  verify  this  easily  in  each  case. 


T,  DC,  C  b  A  D  B 

Case.  - 

T,ac\-  Ad  B 
1.  T,UC,C,A\-  B 


□L 


2.  T,DC,A\-B 


Case. 


L,  C\  A  C2,Ci  b  A  D  B 

- A  Li 

r,  Cl  A  C2  b  A  D  B 


1.  r.c'i  a  c2,Ci,a\-  b 

2.  r.c'i  AC2,Ah  B 


(i.h.  on  premise) 
(Rule  (QL)) 

(i.h.  on  premise) 
(Rule  (A  Li)) 


Case. 


L,  C\  A  C2,C2  b  A  D  B 

- A  L2 

r,  Cl  A  C2  b  A  D  B 


1.  r,CiAC2,c2,dbB 


(i.h.  on  premise) 


2.  T,C\  A  C2,  A  B 


(Rule  (A  L2)) 


Case. 


r,Ci  V  C2,Ci  b  A  D  B  T,Ci  V  C2,C2  b  A  D  B 
- - - - - - - VL 

r,Ci  v  c2  b  a  d  b 
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1.  r,Ci  \zc2,cua\-  b 

2.  r,Ci  vc2,c2,a\-b 

3.  r,Ci  v  c2,a\-  b 


Case. 


-_LL 


1.  T,±,A  h  B 


r,4hB 

Case.  - DR 

T\~  Ad  B 

1.  T,A\~B 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (VL)) 

(Rule  (_LL)) 


(Premise) 


Case. 


r,  Ci  d  c2  h  Ci  r,  Ci  d  c2,  c2  p  a  d  b 


T,CxD  C2h  ad  b 

1.  r.Ci  dc2iav-  Ci 

2.  r,Ci  d  c2,c2,a\-b 

3.  r,Ci  D  C2,A  h  B 
No  other  cases  apply. 


DL 


(Weakening  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (DL)) 
□ 


We  also  need  a  lemma  about  BLq’s  sequent  calculus  for  proving  completeness. 


K 


Lemma  1.13.  IfT,K  says  A  — »  C  in  BLq,  then  there  is  a  shorter  or  equal  derivation 


of  T,  K  claims  A 


K' 


C. 


K' 


Proof.  By  induction  on  the  derivation  of  F.  K  says  A  — >  C. 


□ 


K 


Lemma  1.14  (Soundness  of  Translation).  If  T  — >  A  in  the  sequent  calculus  of  BLq, 
then  rr-|,ii  h  rAn  in  the  sequent  calculus  of  CS4  (where  the  translation  of  the  context 
rrn  is  defined  pointwise,  and  K  claims  A  is  treated  as  K  says  A). 


K 


Proof.  We  induct  on  the  derivation  of  T  — >  A.  analyzing  cases  of  the  last  rule. 
P  atomic 

Case.  - — - init 

T.P-^P 


i.  rrn,p,AT  p 


(Rule  (init)) 


Case. 


T,  K  claims  A ,  A 


I< 


C 


K 


-claims 


T,  K  claims  A  — >  C 
1.  rrn,  D(K  D  rA~l),K  D  rAn,  K  h  I< 


(Rule  (init)) 
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2.  rrn,D(A'  D  R4n),A"  d  rAn,AT,rAn  b  rbT 

3.  rrn,D(A'  D  rbP),  A"  D  R4n,A'b  rbT 

4.  rrn,D(A^DrAn),A"hrAn 

5.  T”1,  □(A'  D  rbP),  rAn,  AT  b  rCn 

6.  rrn,D(A-DrAn),A-brCn 

r|  a 

Case.  - - - saysR 

T  A"  says  A 

Let  r|  =  A'i  claims  Ai, . . . ,  A'n  claims  An. 

1.  □(A'i  D  HA!-1), . . . ,  n(Kn  D  rAn~'),K  b  rAn 

2.  □  {Kx  D  rA^), D(Kn  D  rAnn)  b  K  D  rbT 

3.  □  (K,  D  rA^), . .  .,D(Kn  D  rAn~1)  b  D(A  D  rbT) 

4.  T"1,  AT'  b  □(A’  D  rbP) 

T,  A'  says  A,  K  claims  A  C 
Case.  - - - saysL 

T,  A'  says  A  C 

1.  rrn,D(A'  D  rAn), □(AT  D  rAn), K'  b  rCn 

2.  rrn,D(A^  D  rvl“l),  A"'  b  rCn 

r  a  r  a 

Case.  - — - AR 

r  A  A  A 


1.  rrn,A'brAn 

2.  rrn,A'brAn 

3.  rrn,A'brAn  ArAn 


iC 


r,4AB,4,5^  C 

Case.  — - - - AL 


A' 


r,4ABAC 


1.  rrn,  rAn  A  rAn,  rAn,  rAn,  A'  b  rCn 

2.  rrn,  rbP  A  rAn,  rAn,  rAn,  K  b  rA~l 

3.  rrn,  rAn  A  rAn,  rAn,  A'  b  rAn 

4.  rrn,  rbT  A  rAn,  rAn,  K  b  rAn 

5.  rrn,rAn  ArA,I(brA 


(Lemma  1.11) 
(Rule  (dL)) 
(Rule  (QL)) 
(i.h.  on  premise) 
(Cut  on  4  and  5) 


(i.h.  on  premise) 
(Rule  (DR)) 
(Rule  (DR)) 
(Weakening) 


(i.h.  on  premise) 
(Strengthening) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)) 


(i.h.  on  premise) 
(Lemma  1.11) 
(Rule  (A  Li)) 
(Lemma  1.11) 
(Rule  (A  L2)) 
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6.  rrn,  rbT  A  rB rJC,  I<  b  rCn 

7.  rrn,  rA~l  A  r  JC,  K  b  rCn 

r  a 

Case.  — — - V  Ri 

r-^ivs 

1.  rrn,A-br7P 

2.  rrn,/\  brAn  VrRn 

T  ^  B 

Case.  — — - V  R2 

r^ivB 

1.  rT^,K\~rBn 

2.  rrn,A^brbT  VrRn 

r,Av  B,A^C  r,4v  B,B  £4  c 

Case.  — - - - - VL 

r,4vB-^c 

1.  rrn,  rbT  V  rR~\  T4~\  K  b  rCn 

2.  rrn,rbT  VrRn,rRn,/\  brCn 

3.  TV^V^.ii’bT1 

Case.  — — TR 

r  t 


1.  rrn,rAn,  ibb  rRn 

2.  rrn,A^brAnDrRn 

T,AdB^A  T,Ad  b,b  c 

Case.  - — - DL 

T,A  D  B  C 

1.  rrn,rAn  D  rRn,AT  b  rAn 


(Cut  on  3  and  1) 
(Cut  on  5  and  6) 

(i.h.  on  premise) 
(Rule  (V  Ri)) 

(i.h.  on  premise) 
(Rule  (V  R2)) 

(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (VL)) 

(Rule  (TR)) 

(Rule  (_LL)) 

(i.h.  on  premise) 
(Rule  (DR)) 

(i.h.  on  1st  premise) 
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2.  rTn,  rAn  D  rRn,  rBn,  K  b  rcn 

3.  rrn,rAn  d  rRn,  /c  b  rcn 


(i.h.  on  2nd  premise) 
(Rule  (DL)) 


□ 

Next,  we  seek  to  show  the  converse  of  the  above  lemma,  namely,  if  rrn,/i  b  rAn 

K 

in  CS4,  then  T  — >  A  in  BLo.  Our  approach  is  based  on  a  careful  characterization  of 
sequents  that  may  occur  in  a  proof  of  rrn,/C  b  rA~'.  We  call  such  sequents  regular 
sequents. 

Definition  1.15  (Regular  Hypothesis).  A  CS4  hypothesis  T  is  called  regular  if  it  con¬ 
tains  formulas  of  the  form  rA~l  and  K  D  rA~l  only  ( A  denotes  an  arbitrary  BLo  formula). 

Definition  1.16  (Regular  Sequents).  A  CS4  sequent  is  called  regular  if  it  has  the  form 
r,  K  b  rA~' ,  where  T  is  a  regular  hypothesis. 

Next,  we  define  an  inverse  translation  from  regular  sequents  to  BLo  sequents. 

Definition  1.17  (Inverse  Translation).  The  inverse  translation  l-j  for  regular  hypothesis 
is  defined  pointwise,  where  the  inverse  translation  for  formulas  is  defined  as  follows. 

LrAnj  =  A 
l K  D  rAnj  =  K  claims  A 

K 

A  regular  sequent  T,  I\  b  rAn  is  inverse  translated  to  lTj  — »  A. 

The  following  completeness  lemma  contains  two  statements  that  we  prove  by  simul¬ 
taneous  induction.  The  second  statement  is  the  actual  completeness  that  we  need.  The 
first  statement  is  needed  for  induction  to  work. 

Lemma  1.18  (Completeness  of  Translation).  Let  T  be  a  regular  hypothesis. 

1.  IfT,K  b  K'  in  CS4  and  K  /  K' ,  then  lTj  C  for  any  C  in  BLo. 

2.  If  T,  K  b  rAn  in  CSf,  then  lTj  —>  A  in  BLq. 

Proof.  We  induct  on  the  depth  of  the  given  derivations,  and  analyze  cases  of  the  last 
rule  in  the  derivations. 

Proof  of  (1). 

Case.  - unit 

r,  k  b  k 

1.  K  =  K' 

2.  Contradiction 

3.  lTj  ^  C 


(K'  0  T  by  regularity) 
(Assumption  K  K'  and  1) 
(RAA) 
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(i.h.  on  premise) 
(Rule  (saysL)) 


Case. 


r,  U{K"  D  rA~[),K"  D  K  h  iC 
T,n{K"  DrAn),K\-  K' 


1.  says  A,K"  claims  A  —>  C 

2.  says  A  ^  C 
T,r^n  A  rB~l,rA^,K\-  K' 


Case. 


r,r^n  A  rB~l,  K  h  K1 


A  Li 


1.  i_r_i,  A  A  B,A^C 

2.  i_r_i, ^4  A  B,A,B 

3.  i_r_i,  ^4  A  B  ^  C 

I\R4n  ArB^,rB^,K\-  K' 

Case.  - - — A  L9 

T,  rAn  A  rRn,  if  h  K 


□L 


(i.h.  on  premise) 
(Weakening) 
(Rule  (AL)) 


1.  l_Tj,AA  B,B 

2.  i_r_i,  A  A  B,A,B 

3.  A  B  ^  C 


(i.h.  on  premise) 
(Weakening) 
(Rule  (AL)) 


Case. 


r,  rA~l  V  rRn,  rAn,  I<  h  K'  r,  R4n  V  rRn,  rBn,  K  h  K' 
r.cw  v  rir'.K  h  a" 


VL 


1.  Lrj,4v5,A^C 

2.  Lrj,4lVR,R-^C 

3.  Lrj,4ivR-^c 


Case. 


L.  L.  A'  I-  I< 


7-LL 


1.  lLj,  _l  ■—*  c 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (VL)) 

(Rule  (_LL)) 


Case. 


r,  rA~l  D  rRn,  K  h  rAn  r,  D  rRn,  rRn,  I\  h  K’ 
r,rRn  D  r/iA  A'  h  I\ 


DL 


1.  l.Tj,A  D  B  —>  A  (i.h.  (2)  on  1st  premise) 

2.  i_r_i,  A  D  B,B 

3.  i_r_i,  ^4  D  B  C 
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(i.h.  on  2nd  premise) 
(Rule  (DL)) 


r,  k"  d  r ir.  k  h  k  r,  k"  d  r/c,  r/c.  a  i-  k' 

Case.  — - - „ - - ,  - - DL 

T,  K  D  rB~<,  A  h  K 

We  analyze  two  subcases: 

Case.  K  =  K " 


1.  i_r_i,A'"  claims  B,  B  C 

2.  Lrj ,K"  claims  B  ^  C 
Case.  K  /  K" 

1.  i_r_i,A"  claims  A  C 


(i.h.  on  the  2nd  premise) 
(Rule  (claims);  K  =  /\") 

(i.h.  on  1st  premise) 


Proof  of  (2). 

(. A  atomic) 

Case.  - init 

T,A,K\~  A 


Case 


1.  l_Tj,A  ^  A 

□r  h  k' d  rAn 


-□R 


□r ,t’,k  h  n(K' d  rAn) 

Let  T  =  □(Kr  d  rdr),  •  •  .,D(Kn  D  rAn ->). 
i.  nr,iL'  h  rAn 


2.  ATi  says  Ai, . . . ,  Kn  says  Ar 


K' 


3.  K\  claims  A\, . . . ,  A^n  claims  Ar 


A 


K1 


A 


4.  K\  claims  A\, . . . ,  Kn  claims  An,  lLj  — >  K1  says  A 

5.  K\  says  Ai, . . . ,  I\n  says  An,  i_r'j  K'  says  A 

T,  □(AT/  D  rAn),  Aw  D  rAn,  AT  h  rCn 

Case.  - ,  h - - QL 

T, D(A  DrAn),A'hrCn 

1.  lIA,  K'  says  A,  K'  claims  A  C 

2.  lIj,A:'  says  A  C 

r,AhrAn  r,AhrRn 

Case.  - AR 

r,AWAn  A  rRn 

i.  Lrj  a 

K 


2.  Lr_ 


A 


(Rule  (init)) 


(Lemma  1.12  on  premise) 
(i.h.  on  1) 
(Lemma  1.13) 
(Rule  (saysR)) 
(Rule  (saysL)) 


(i.h.  on  premise) 
(Rule  (saysL)) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
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3. 


(Rule  (AR)) 


r,R4n  A  rB~t,rA^,K\-  rCn 

Case.  - A  Li 

T,  rAn  A  rB~'1  K  b  rCn 


1.  i_r_i, A  A  B,A^C 


(i.h.  on  premise) 


2.  lTj,  A  A  B,A,B 


(Weakening) 


3.  lTj,  A  A  B  --A  C 


(Rule  (AL)) 


RT4n  A^V^.iiKC1 

Case.  - A  L2 

r,T4n  ArB^,K\-rCn 


1.  Lrj,^l  A  B,B 


(i.h.  on  premise) 


2.  lTj,  A  A  B,A,B 


(Weakening) 


3.  lTj,  A  A  5  C 


(Rule  (AL)) 


r,  R'  b  ryT 

Case.  - V  Ri 

r,/v  brbT  vrBn 


1.  or  a 


(i.h.  on  premise) 


2.  lL^AvB 


(Rule  (V  Ri)) 


r,  k  b  rB n 

Case.  - V  R2 

t,k  brbT  vr£n 


1.  lIj  AT  b 


(i.h.  on  premise) 


2.  lL^AVB 


(Rule  (V  R2)) 


r,  rAn  V  rB n,  rbLn,  Ji  b  rCn  r,  rTn  V  rB n,  r5n,  R'  b  rcn 

Case.  — - - - - - - - - - - - VL 

r,rAn  \ZrB^,K  brCn 


1.  Lrj,bi v b,a^c 


(i.h.  on  1st  premise) 


2.  i_rj,bl  V  B,B  AT  C 


(i.h.  on  2nd  premise) 


3.  i_rj,bl  V  B  —>  C 


(Rule  (VL)) 


Case.  - TR 

L.  K  b  T 


1.  lIT  AT  T 


(Rule  (TR)) 


122 


Case. 


T,±,K  brCn' 


-_LL 


i.  i_r_i,_L 


K 


c 


(Rule  (_LL)) 


r,R4n,AbrRn 

Case.  - DR 

r  ,  A  b  rAn  D  rB n 


K 


i.  Lrj,  n  — >  b 

K 


2.  Lr_ 


Ad  B 


(i.h.  on  premise) 
(Rule  (DR)) 


r,  rAn  D  rRn,  A"  b  rAn  r,  rbT  D  rRn,  rRn,  K  b  rCn 
Case.  — -  _  - __i  - - - dL 


T,rAn  d  rRn,  K  b  rCn 


A- 


1.  lIA,  A  D  B  — >  A 


K 


2.  lIA,  A  D  B,B  — >  C 


3.  i_r_i,  A  D  B 


K 


c 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (dL)) 


Case 


r,  K'  D  R4n,  K  b  K'  r,  K' d  rbT,  rbT,  A'  b  rCn 


T,  K'  D  rA~1,  K  b  rCn 
We  analyze  two  subcases: 

Case.  K  =  K' 


DL 


1.  i_r_i,  K'  claims  A,  A  —>  C 


2.  lIj ,  A'  claims  A  ^  C 
Case.  A  /  A" 


1.  i_r_i,  Kr  claims  A  C 


K 


(i.h.  on  2nd  premise) 
(Rule  (claims);  K  =  K') 

(i.h.  (1)  on  1st  premise) 

n 

A  in  BLq  if  and  only  if  b  K  D  rAn 


Theorem  1.19  (Correctness;  Theorem  5.9). 
in  CS4- 

Proof.  Suppose  •  A  in  BLo-  By  Lemma  1.14,  A  b  rbP.  Hence  by  rule  (dR), 
•  b  Ad  rAn. 

Conversely,  suppose  •  b  K  D  rAn  in  CS4.  By  Lemma  1.12,  A  b  rA~'.  By 


Lemma  1.18.2, 


K 


A. 


□ 
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